Question for the technically minded - VPN and data protection

[Litenbror]

Woah dude, don't get your back up, you're posting a lot in this thread and gave the idea that you're up for the discussion.



This doesn't seem like an issue for those of us that don't have a google account. The problem of apps also aren't an issue if you don't use them and you disable the ones that come stock and cannot be deleted. If you use DuckDuckGo and a VPN on the device, that adds another obvious layer. Lastly, if you use Signal or other such methods for coms there is a layer of encryption, which, I'm assured by my friends hasn't yet been cracked.

So apart from the standard data collected by your phone company, I'm genuinely interested to learn what other ways my phone is dobbing on me. I'm sure those ways exist, but I'm a noob in this space and am keen to learn.

For the phone it might help @johnny if we know the environment you are using? I can assume it's not android because you alluded to not having a Google account but that's an assumption. I think @Squidfayce is pointing out in the last few posts how your phone and other technology can circumvent many of the methods used to avoid data correlation by combining data sources eg. Google knowing your wifi mac address from street view then connecting that with info from your phone and TV.

 

[johnny]

I'm using a late version iPhone, so no google ID (TV not connected to wifi) and as mentioned up the page, all standard procedures taken to restrict access to data (I really don't have much use for apps, I don't use my phone for much other than calls, messages, emails and standard web stuff).

If there's not much more I can do but accept the residual data loss, so be it. I know I can't be anonymous and it's not really my goal. But if there are simple strategies I can use to tighten things up on my phone, I'm keen to know what they are.

 

[Squidfayce]

"Dobbing on you" is not what's being discussed here. It's the likelihood you're giving away more data than you agree to that just become part of the "progress" machine. In aggregate, that data can be used to make heaps of predictions about you that are useful.

Another recent concern is Biometric data harvesting by tiktok, ontop of the device, messaging and location data they already collected.

TikTok Quietly Tweaks Privacy Policy to Collect Your Biometric Data

TikTok quietly updated its privacy policy earlier this week in a way that allows the company to automatically collect extensive data on users in the United States — including data about their faces and their voice. The policy change, first spotted by TechCrunch, specifically states that TikTok...

www.gizmodo.com.au

You might not have tiktok many people don't, but biometric data is already collected at the point of firing up your new phone (finger prints, face scans, iris scans like some recent samsungs). That stuff is not just stored on your local device but in a data center. That can be powerful by itself or with other aggregated data.

Imagine the previous aforementioned facial recognition AI work now being able to access databases of biometric data that's been given away by users to google/apple/Samsung instead of having to justify a use case to governments to access their databases.

Signal, vpns, duck duck blah whatever. These things all give the illusion of privacy, and for some data that's true, but don't underestimate how much you've given away beforw you've even managed to download all these things to your phone and continue to give away even with these things active.

 

[Squidfayce]

Also not got my back up, just saying its no secret that phones are a privacy black hole.

 

[droenn]

I heard on RN (think some privacy expert from ANU) that the ABC iview login requires you to opt-out of them sending your data to Google and Facebook?!

Will see if I can find the story...

Think they also recommended this to check your browser: https://coveryourtracks.eff.org

 

[Squidfayce]

There's a pretty well produced doc that covers the whole Cambridge analytica scandal called "the great hack" that showcases how seemingly innocuous data aggregation can be a powerful tool, how people can be targeted and manipulated.

Also one called "the social dilemma" which covers FB and the like.

Both on Netflix I think.

These are just a start, but should give you a view of how futile a lot of our "privacy" efforts are.

Also don't forget the WiFi signals being able to be used to map rooms, people and objects. This is agnostic of what device or apps you're using. The future of this tech is effectively "Google inside your house view". Probs not for the public, but imagine the capability of being able to dial into an devices signal and see what's happening basically anywhere in the world in real time. Heaps of cool and nefarious uses for this.

 

[PINT of Stella. mate!]

Lastly, if you use Signal or other such methods for coms there is a layer of encryption, which, I'm assured by my friends hasn't yet been cracked.

 

[johnny]

"Dobbing on you" is not what's being discussed here. It's the likelihood you're giving away more data than you agree to that just become part of the "progress" machine. In aggregate, that data can be used to make heaps of predictions about you that are useful.

Another recent concern is Biometric data harvesting by tiktok, ontop of the device, messaging and location data they already collected.

TikTok Quietly Tweaks Privacy Policy to Collect Your Biometric Data

TikTok quietly updated its privacy policy earlier this week in a way that allows the company to automatically collect extensive data on users in the United States — including data about their faces and their voice. The policy change, first spotted by TechCrunch, specifically states that TikTok...

www.gizmodo.com.au

You might not have tiktok many people don't, but biometric data is already collected at the point of firing up your new phone (finger prints, face scans, iris scans like some recent samsungs). That stuff is not just stored on your local device but in a data center. That can be powerful by itself or with other aggregated data.

Imagine the previous aforementioned facial recognition AI work now being able to access databases of biometric data that's been given away by users to google/apple/Samsung instead of having to justify a use case to governments to access their databases.

Signal, vpns, duck duck blah whatever. These things all give the illusion of privacy, and for some data that's true, but don't underestimate how much you've given away beforw you've even managed to download all these things to your phone and continue to give away even with these things active.

So I'm pretty aware of all the things you've mentioned here as well as how data aggregation works (the eco system of orgs collecting, selling aggregating, reselling, psychometrics, etc. etc.) and the take away from what you're saying here seems to be that it's not the phone that's the problem, but what the user puts into it.

So with that being the case, and I know that there are levels of information that I cannot protect, I would disagree with you that all is lost simply because I use a smart phone. If one is careful with how they use the device then many of the issues you cite seem to be irrelevant.

The people that droenn is talking about up the page are my colleagues and in my job I collaborate with policy makers working on data security as well as their private sector counterparts. This doesn't make me an expert, but when I discuss these issues with them, none of them are offering advice similar to which you've given here. They don't seem to think that the average person should just give up because all is lost.

This is why I'm keen to know the precise ways my phone is collecting and sharing my information - like tell me how Signal is doing this. Same with how DuckDuckGo is sharing my data and how the VPN is doing little to protect me. Without specific information it doesn't mean much to say blah blah whatever.

 

[johnny]

View attachment 377612

Nina is Australia's #1 comedian. And I quote: "I'm microdosing for anal by taking a shit"

 

[Squidfayce]

Oh remember faceapp, the app that people used to age themselves? Data harvesting app.

I know of one assistant police commissioner who has all this shit (tiktok, face app etc.) installed on his phone and actively engages with it with his kids despite being told about what these apps are doing.

This is the typical high value user that's most likley to get spied on through this sort of tech. The secret is to normalise it

So I'm pretty aware of all the things you've mentioned here as well as how data aggregation works (the eco system of orgs collecting, selling aggregating, reselling, psychometrics, etc. etc.) and the take away from what you're saying here seems to be that it's not the phone that's the problem, but what the user puts into it.

So with that being the case, and I know that there are levels of information that I cannot protect, I would disagree with you that all is lost simply because I use a smart phone. If one is careful with how they use the device then many of the issues you cite seem to be irrelevant.

The people that droenn is talking about up the page are my colleagues and in my job I collaborate with policy makers working on data security as well as their private sector counterparts. This doesn't make me an expert, but when I discuss these issues with them, none of them are offering advice similar to which you've given here. They don't seem to think that the average person should just give up because all is lost.

This is why I'm keen to know the precise ways my phone is collecting and sharing my information - like tell me how Signal is doing this. Same with how DuckDuckGo is sharing my data and how the VPN is doing little to protect me. Without specific information it doesn't mean much to say blah blah whatever.

I don't mean for this to sound rude, but I've given plenty of reasons your phone is a privacy black hole. I can't underline each line of code for you that's doing bad things in your situation. Given the sheer breadth of fucked up things technology gets away with every day, considder a drake equation like probability of all the things likely to be harvesting you data or doing something you agreed to but didn't totally understand the consequences of, regardless of how benign it all seems. You simply can't know all the things but you can pretty much guarantee the probability your privacy is compromised all the time in some way. These services, often free , monetise by selling data. It's that simple.

The above meme about signal being a drugs short list is eerily accurate. Was a surprise when I saw the names pop up the first time I loaded it and continue to pop up.

Ever think about why and how signal makes the connection which of your existing contacts are on signal already? Doesn't seem very private.

VPNs aren't the be all of data privacy either. Ever pay for something while on a VPN? Great you masked your location, then likley used identifiable information on a payment portal voiding all the privacy you just implemented. Ever have a VPN drop out or have connectivity fluctuations? Location revealed. Lots of stuff to work around this exists, but seriously what's the point? At some point it becomes annoying to maintain. Technology is supposed to be convenient, not a chore. This drives most people to click yes on EULAs without reading because, whatever.

do we honestly believe google/alexa/siri are just listening out for their activation phrases? Do we need to revist Siri's DARPA origins? Do we know for sure everything in this space is as innocent as we've been lead to believe? What's history taught us so far? Snowden ring a bell? If the mic is listening discretely for phrases, what's stopping cameras discretely capturing facial biometrics to keep an up-to-date facial record?

My view of it being game over is because for all the policy makers and data security experts working on privacy and data security, there are 10 smarter engineers working for technology companys that are actively coming up with novel ways data can be harvested and used. All the while getting people to agree to it. Toys, new phones, fitness apps, wearables, infotainment in cars, new social media apps, smart TV, smart fridges, smart washers, sleep tracking apps, flybys, the Gmail inbox, biometrics, tweaking old social media ap policies, WiFi shenanigans, device intelligence, the list goes on. So sure, don't give up. But don't kid yourself that somone smarter with more resources isn't actively working out ways to make money from your (being anyone, not specifically you) data or use that data in ways you'd generally not be happy with.

 

[Squidfayce]

Nina is Australia's #1 comedian. And I quote: "I'm microdosing for anal by taking a shit"

This is great. Reminds me of "anal is like taking a shit, but backwards"

 

[Squidfayce]

On signal encryption, while the apps encryption itself hasn't been hacked, anyone sending signal messages to non signal users lose that encryption. Sounds obvious I know, but there are people who don't understand how signal is supposed to work.

Additionally signal messages can be intercepted by use of the built-in Accessibility Service in Android. The capabilities of this service can be exploited by hackers in order to collect data. Some stalkerware has been found that can use this feature to capture the text of incoming and outgoing messages from instant messengers already.

 

[johnny]

I don't mean for this to sound rude, but I've given plenty of reasons your phone is a privacy black hole.

You didn't though, you spoke about people sharing too much by way of unprotected activity. If people protect their activity, then most of the risks you've raised don't exist.

I can't underline each line of code for you that's doing bad things in your situation. Given the sheer breadth of fucked up things technology gets away with every day, considder a drake equation like probability of all the things likely to be harvesting you data or doing something you agreed to but didn't totally understand the consequences of, regardless of how benign it all seems. You simply can't know all the things but you can pretty much guarantee the probability your privacy is compromised all the time in some way. These services, often free , monetise by selling data. It's that simple.

But if you're not using the services - you're protecting your privacy - then you're not giving away the data, right?

Ever think about why and how signal makes the connection which of your existing contacts are on signal already? Doesn't seem very private.

Signal is open how they do that and they state that your number is encrypted before it's sent to their servers and not retained. That's how they connect it with contacts (it's on their website if you want to go over the details). But you don't need to give Signal access to your contacts, you can enter them manually when you use the service. So again, your concern is not with the hard/software, but with the user.

VPNs aren't the be all of data privacy either. Ever pay for something while on a VPN? Great you masked your location, then likley used identifiable information on a payment portal voiding all the privacy you just implemented. Ever have a VPN drop out or have connectivity fluctuations? Location revealed. Lots of stuff to work around this exists, but seriously what's the point? At some point it becomes annoying to maintain. Technology is supposed to be convenient, not a chore. This drives most people to click yes on EULAs without reading because, whatever.

Sure, VPNs can drop out, I understand that these things aren't fool proof. But almost everything you're saying here is about user behaviour (impatience, convenience, apathy, etc.), not the devices/software.

do we honestly believe google/alexa/siri are just listening out for their activation phrases? Do we need to revist Siri's DARPA origins? Do we know for sure everything in this space is as innocent as we've been lead to believe? What's history taught us so far? Snowden ring a bell? If the mic is listening discretely for phrases, what's stopping cameras discretely capturing facial biometrics to keep an up-to-date facial record?

Of course companies can be doing things that are illegal, nothing you do can manage for that, other than living in a cave. But that's not what this conversation is about, we're talking about where the line is between what privacy can be protected and what you must accept as a loss.

In saying that, using voice activated systems are very obviously something that the privacy conscious should use. Cameras, when not in use, should be covered. When not using your phone it should be kept in another room. etc. etc.

My view of it being game over is because for all the policy makers and data security experts working on privacy and data security, there are 10 smarter engineers working for technology companys that are actively coming up with novel ways data can be harvested and used. All the while getting people to agree to it. Toys, new phones, fitness apps, wearables, infotainment in cars, new social media apps, smart TV, smart fridges, smart washers, sleep tracking apps, flybys, the Gmail inbox, biometrics, tweaking old social media ap policies, WiFi shenanigans, device intelligence, the list goes on. So sure, don't give up. But don't kid yourself that somone smarter with more resources isn't actively working out ways to make money from your (being anyone, not specifically you) data or use that data in ways you'd generally not be happy with.

Again, other than illegal behaviour, which can't be protected against without giving away tech altogether, is based on user behaviour, not the technology itself. It takes a lot of continuous effort but educating yourself about how the data economy works, actually reading the privacy policies and agreements, constantly checking privacy settings and not discarding caution for convenience, but I believe that it is worth it and that it makes a difference.

The area where I struggle with is the biorecognition technology being deployed by states in what they claim is the interests of national security. The surveillance technology integrated into the smart cities that are being exported by China are extremely troubling. Many democratic states are also deploying technology like this and it's a genie that will never go back in the bottle.

There are people working on spoofing technologies (Singer's book Burn In, covers some pretty interesting approaches, such as reflective make up and spoofing applications etc.), but the new technologies are already taking account of attempts such as these. Troubling stuff.

 

[Squidfayce]

That's fine, you can have the view that privacy and security is 100% user driven. My view is that it's much an illusion. Snowden showed us that. Those intrusions didn't just stop because he spoke out.

Technology is sold as a convenience, a product that betters our lives. People want to believe that, and for the most part it does. It just costs your data and privacy. When you start overlaying it with all these measures to protect against something you shouldn't have to to worry about, the convenience and benefits to our lives start to be eroded. Who's got time to manage sticky tape on a camera phone? Do I cover the front and back?

Re signals phone contact matching - great. They've stored a number and can continually connect numbers to numbers every time via deitentified data. Basically a map of associations. Stand alone, that data is deidentified, aggregated with other data, not so deidentified any more. This is the whole illusion I'm trying to hilight. You give one company your deidentified data, who at some point decides their core values change or their data is compromised via a hack, and it's no longer private. Never happened before has it?

Facebook initially also had told users its privacy was strict. Untill it wasn't. Time and time again. Sure the people at signal aren't Zuckerberg, but who's to say that won't change. Money is a powerful motivator. People sell out all the time. Signal is just one company.

You can use your various methods for protecting your data, but you are one of the minorities in the scheme of things. Oversharing and not giving a hoot is the norm these days and that attitude will grow. I'd argue that it wont matter in the long run. It won't stop data harvesting or new technologies being created to do so. At some point that device won't need apps or your permission to do everything it wants, like the WiFi tech I mentioned before. Even if you don't switch WiFi on, you're bathed in WiFi signals from other devices you have no control of. Other people's devices will eventually know who you are in this map because your device I'd is unique and is tied to you personally by name via your phone provider.

The idea that a government intercepted all communications and parsed the data without the publics knowledge or permission was considdered a crack pot conspiracy theory not so long ago. Untill it wasn't.

Off to stream some SBS and update my socials.

 

[Elbo]

Not sure if this is what you're trying to distinguish between @johnny but having listened to a few interviews with Snowden, any device powered on and connected to a mobile network can be located pretty accurately through ranging and triangulation. So your device, by virtue of being a phone, is constantly giving away your location data. Aside from that and nefarious hardware I can't see what a smartphone gives away in terms of data that any other mobile would give away.

 

[Litenbror]

I can't add any more to this conversation and by the sounds of it @johnny you probably have the opinions of some of the top minds in the field but I do have an example of how your phone can link to larger identification issues.

A few years ago I sat down at my work computer at a large government department, opened my browser and went to YouTube to put some music on while I worked (they have blocked the radio because it took too much bandwidth). YouTube promptly loaded up a mix of all the kids music we were listening to at home. It took YouTube about 1.5 years to locate where I worked but it finally managed it. I wasn't logged into YouTube at home or the work computer but it still worked out that the person listening to music at this location in Canberra just logged on to a reasonably secure computer at this gov department. The best I can establish is through a combination of multiple sources of not secure data (eg wifi signal at work that my phone can see but not use, timing from home to work, some similarities between music played etc) it worked out where I was.

This may not sound like a big deal but the more I thought about it the more I realised if YouTube could put those two locations together and work out who I was then essentially anyone could use my phone to connect me to online activity elsewhere, especially an environment where we don't control the software/apps we can use eg. work.

 

[Squidfayce]

Don't forget technology is ever evolving. So the risks are dynamic. People spend their whole lives working in various tech fields and are continually surprised.

Think about what extra bandwidth introduced by 5g could potentially allow for that wasn't possible a year or two ago. Streaming video from camera lenses (fixed and mobile) looking out for "target actions" like Google listens our for "target phrases"? Sounds crazy, but sounds like a useful law enforcement tool, right?
The technology is being gworked on in fixed cameras are already. China and UK are actively using versions of this. Why wouldn't mobile lenses be the next evolution of that? At the moment it's bandwidth and lack of wide enough coverage.

 

[Squidfayce]

This may not sound like a big deal but the more I thought about it the more I realised if YouTube could put those two locations together and work out who I was then essentially anyone could use my phone to connect me to online activity elsewhere, especially an environment where we don't control the software/apps we can use eg. work.

Bingo. Most people have a fleeting thought when they recognise it the first time. After that it starts becoming pretty normal and you forget about it pretty quickly.

This is usually related to device ID which is broadcast without need for permission. It's a unique as your fingerprint. You can't opt out of this as far as I know. Device ID is used extensively in fraud protection when measuring application velocity. Often one fraudent credit application gets through but as soon as multiple apps start appearing from the same device, they're flagged (if a company is using the current tech). So despite VPN etc, a devices ID is regularly flagged in that sort of activity. It's one of the reasons fraudsters use lots of burners.

 

[ualf]

Maybe you could list a few reasons why/how smart phones are compromising our privacy.

One particularly intrusive way I encountered a couple of years ago was a product display at a large department store equipped with blue tooth data collection.

The display was able to determine what BT radios lingered in it's vicinity.

For a number of days after having a good look at this particular coffee machine whilst waiting for someone to finish their shopping I was flooded with online adverts for this particular product.

 

[Squidfayce]

One particularly intrusive way I encountered a couple of years ago was a product display at a large department store equipped with blue tooth data collection.

The display was able to determine what BT radios lingered in it's vicinity.

For a number of days after having a good look at this particular coffee machine whilst waiting for someone to finish their shopping I was flooded with online adverts for this particular product.

Device ID at work again. Your blue tooth wouldn't even need to be on for this type of location activity to push targeted advertising to you