Question for the technically minded - VPN and data protection

johnny

I'll tells ya!
Staff member
I can't add any more to this conversation and by the sounds of it @johnny you probably have the opinions of some of the top minds in the field but I do have an example of how your phone can link to larger identification issues.

A few years ago I sat down at my work computer at a large government department, opened my browser and went to YouTube to put some music on while I worked (they have blocked the radio because it took too much bandwidth). YouTube promptly loaded up a mix of all the kids music we were listening to at home. It took YouTube about 1.5 years to locate where I worked but it finally managed it. I wasn't logged into YouTube at home or the work computer but it still worked out that the person listening to music at this location in Canberra just logged on to a reasonably secure computer at this gov department. The best I can establish is through a combination of multiple sources of not secure data (eg wifi signal at work that my phone can see but not use, timing from home to work, some similarities between music played etc) it worked out where I was.

This may not sound like a big deal but the more I thought about it the more I realised if YouTube could put those two locations together and work out who I was then essentially anyone could use my phone to connect me to online activity elsewhere, especially an environment where we don't control the software/apps we can use eg. work.
Not sure if ulstrasonic cross-device tracking is still a thing or not, bit it might have played a part. See slide 29 here: https://www.blackhat.com/docs/eu-16...sures-Of-Ultrasonic-Cross-Device-Tracking.pdf

I'm not sure when that above PDF was made but it must have been a couple of years ago as it's been a couple of years since it was shown that ultrasonic code can be detected by the micro electro-mechanical gyroscopes in any device that measures tri-axis movement (as in when your screen switches from landscape to portrait, or a game measures which way you're holding a devices, etc), and information can be received by your device without consent. Read about it here: https://caslab.csl.yale.edu/publications/matyunin2018zeropermission.pdf The point here being that even if you disable your mic, you're still susceptible to receiving information without consent.
 

johnny

I'll tells ya!
Staff member
Actually, that reply ^^^ was intended for @ualf in regards to his post on coffee machine adverts.

I just suck at technology, is all.
 

johnny

I'll tells ya!
Staff member
Who's noticed that the self-checkouts at Woolies now have a video camera pointed at your face as you scan your goods. Would be interesting to know whether your face could be tracked by other cameras around the store as you browse each time you visit, a profile built and attached to the card you paid with, whether it's a loyalty card or not.

I assume the tech to do all this is already available, but would they need my consent to do it? Possibly not if my name is not attached to the profile, but I imagine with aggregation it could well end up becoming linked anyway.
That started in about Sept last year, and they were called on it in the media. They stated that nothing is recorded and that it's a shoplifting deterrent as "studies show" people are more honest if they think they are being watched.

I've been using cash for the groceries since it came out that they were skirting the bounds of legality by matching purchasing behaviour with your credit/debit card. It sucks as you have to go to the ATM and it makes doing the household budget so much more laborious. But, if you think of your trolley and the approx 30-50 items in it, that's a lot of decision points made each time you shop, which can greatly assist psychometric profiling, health forecasting, etc.
 

johnny

I'll tells ya!
Staff member
So...user driven, except when it's not?
Yes, precisely, and I've been trying to get more information on the "when it's not part". right?

The "when its not" component is an exceptionally fast growing segment. Its faster than people can keep up with and is ever more weighted to this default position. Device ID capture is a perfect example of this. You cannot opt in/out of that if you own a smart phone.
So, it's likely that my knowledge on device ID is limited, but as far as I knew, device ID is now actually opt IN for iOS users since Apple ditched IDFA. Secondly, your device ID is changeable, anyone can change it whenever they want (it's not actually permanently assigned to your handset/tablet like your IMEI is). Also, I'm not aware of how device ID can be used to track location, as far as I know, it's used to trace behaviour online. Anything you can post on that would be appreciated. Here's some other ways that you can protect your privacy regards device ID tracking:

If you’d rather not be tracked, there are some counter-measures that you can employ beyond the official “opt-out” clause which may or may not be featured prominently in the Terms & Conditions of the web site or service you’re using.

Whenever you log in to Facebook or Google (or any third-party app which uses their services to validate its own operations) you leave a trail that can be used to identify your device. So diligently signing out of these accounts each time you finish using them is one option to avoid this.

If you subscribe to a lot of services, using a selection of different email addresses to sign up can help confuse your trail. Alternatively, you can use dedicated masking software, or a VPN (Virtual Private Network)/data management app which can block certain other applications from using your data connection whenever you’re online – which they’ll often do to push advertising to you directly, or to feed information back to an ad network that will serve you with promotions later.

There’s also an industry initiative known as AdChoices which allows users to opt out of internet tracking, altogether.



Game Over is clearly a hyperbolic comment, but its not far from the truth. While almost everything ive pointed out can be "managed", it rarely is. Or is managed by those like yourself that care. The problem is the less people care, the less need/market there it to keep working on stuff for people that do care. Its obvious from the behaviors of the vast majority of users and generational changes what direction were moving in - hence Game Over.
Well, it's game over for people who don't manage the risks, but that's not what this thread is about. I know that most people opt for convenience and ignorance, but this thread is about the opposite, how to be informed, right?


so Signal periodically access your device (because it doesn't store data on servers) to collect information, that data goes to a server to get matched with other data and then send matches back to the relevant devices, then deletes the records of this matching? Right. SO you're saying you cant build an association map from this?
Where did I say that?! I never said anything of the kind.

Its basically mapping associations every time it does this! We have to take their word that they just delete the data afterwards. Yeah even if I buy that their data is deleted, that could change either at a company policy level or directed by a government. I know that sounds tinfoil hat like, but again, its happened before and happens all over the world, so I sort of feel like trusting companies to do what they say with data is a 50/50 gamble most days.
Yes, I understand all that. But as I've said, this discussion is about managing what you can. If you don't believe that any companies will abide by their commitments and govts won't ever follow the law, then you either hide in a cave or accept that you'll never have any privacy. That's an extreme and unreasonable response - yes, of course companies have broken their own rules and the law and of course govts do unethical stuff, but that's not the rule, it's not even the norm!

This discussion is about working out where the line is between mitigating, managing and accepting risk. Signal is an example of a company/product that has a good reputation, states that it will protect your privacy and is even endorsed by your boy, Snowden. So, on balance, you manage risk by going with a group like Signal and accept the residual risk that they break their own rules, get hacked, etc. etc.

Take a quick look as the permissions you give signal when you use it. It's probably no different than any other messaging app. You are giving it effective full access to everything on your phone including location/gps data. Mull that over the list a bit, then consider the below.

In the permissions, you might notice something I've been banging on about - • read phone status and identity - Allows Signal to determine your phone number and Device ID. These are used to register for Signal.

So while no messaging data is stored or number (or is it stored, dunno, the messaging seems conflicted) or names, what is stored with your signal registration is your Device ID. It shows the Signal network that you're an authorised network user. Cryptohashed or not, Signal knows who you and the rest of its users are, explicitly, all the time. Combine that with all the other Device ID data you can just buy openly and legaly, what do you have? You have a company that can easily generate and sell insights. Worst is, to them those insights are identifiable on the individual level.
Actually, you don't have to give it permission to location/gps data and most of the stuff on that list, it's optional in the app settings. Yes, you have to give it your number, ID, etc., which goes back to having to accept some level of risk.


I think you demonstrate a good understanding of it, but i think there are also gaps in your broader understanding of it. i.e. Device ID and what it means for privacy and data collection/monetisation seems to have been completely missed in your earlier points.

This is a moving target. When device id become the next privacy crusader target (which it has somewhat not surprisingly), expect the industry to pivot, just like the reserch chem drug market. Its simply too good to let go of.
I have never argued that phones don't give away data, I've only said that everything you've highlighted (up until you mentioned device ID) was not the phone giving away data, but the user giving away data. And even now, I'm still not sure how device ID gives away as much as you says it does.

At the risk of repeating MYself, continued effort is not the name of the game. Convenience is. The majority of users are becoming less concerned with privacy. That's not an opinion either.
I genuinely don't understand why you're making that point. I know that the majority of users embrace convenience and give away their privacy, I know that developers create convenience and entertainment to capture data, I've never said otherwise. What I am saying that if some one is eager to protect their privacy they can do so by informing themselves, taking the time to review settings and read privacy statements and commit to continued vigilance. In other words, if one inconveniences oneself, it is possible to protect one's privacy to a significant degree and that it's not game over. That's all.

You have to admit, we have less privacy today than we did 10 years ago. Why is that?
Yes, of course I admit it, that's explicitly what this thread is about, right? Why is that? Because technology has enabled it. Again, I thought that was the point of this thread.

Reckon we'll just some how go back to pre internet levels of privacy or do you think its more likely the various classifications of data change to make less things classified as sensitive or worthy of being considered private?
It's going back and forth - right now there is a backlash against the way we give up data, Apple is leading part of that push. I think there will be a bit of split, where the majority go for convenience under the illusion that they have nothing to hide. But I think that there will be a growing segment within society that are privacy conscious and will create a lucrative market for more secure products. These products will always be abused by criminals and there will have to be some balance found between high-levels of privacy and government access. I have no idea where that will be.

I'm just here to tell you your devices are doing a whole bunch of shit you didn't know about that you have zero control over. And the thing is, no one is actually hiding it.
Other than your claims on device ID (which may be accurate), I'm still waiting for you to provide any actual detail/links on what what that whole bunch of shit is. though! I'm not saying I don't believe you, I'm sure it's actually true. I'm just looking for some, any detail.

Here's an example of what I'm hoping you will provide - browser fingerprinting and how your browser is used to ID you: https://browserleaks.com/
 

johnny

I'll tells ya!
Staff member
I can't add any more to this conversation and by the sounds of it @johnny you probably have the opinions of some of the top minds in the field but I do have an example of how your phone can link to larger identification issues.

A few years ago I sat down at my work computer at a large government department, opened my browser and went to YouTube to put some music on while I worked (they have blocked the radio because it took too much bandwidth). YouTube promptly loaded up a mix of all the kids music we were listening to at home. It took YouTube about 1.5 years to locate where I worked but it finally managed it. I wasn't logged into YouTube at home or the work computer but it still worked out that the person listening to music at this location in Canberra just logged on to a reasonably secure computer at this gov department. The best I can establish is through a combination of multiple sources of not secure data (eg wifi signal at work that my phone can see but not use, timing from home to work, some similarities between music played etc) it worked out where I was.

This may not sound like a big deal but the more I thought about it the more I realised if YouTube could put those two locations together and work out who I was then essentially anyone could use my phone to connect me to online activity elsewhere, especially an environment where we don't control the software/apps we can use eg. work.
Think I got the right post this time...

My best guess is probabilistic matching (I have a friend that works in this space and it's mind-blowing how much data is collected and processed): https://www.technologyreview.com/20...s-follow-you-from-phone-to-desktop-to-tablet/
 

johnny

I'll tells ya!
Staff member
Why not use Tails and Tor then @johnny ?
That can attract some levels of unwanted attention/questions.

A bunch of VPNs that don't do logs etc are becoming more attractive, as are disposable emails, etc. It's all part of finding that balance, between satisfying my desire for privacy, the risk of inviting intrusive questions, accepting the financial costs, forcing the family to give up convenience, etc.
 

Minlak

custom titis
The biggest difference people need to make is the difference between data gathering / data mining / data delivery.
A VPN does not hide any information from the website if its a website that you need to give information to for it to work for you.
A VPN technically does not stop the information being collected it just changes the information to generic information for that VPN centre you choose to run out of.
A VPN and your connection to it can 100% be monitored if ordered by the relevant courts / agencies - The advantage to a no log data centre is they will get no historical data form it but will be able to get any new data you generate.

I only mention this again as a simplified format to what has been said in here before.
I mean the old adage people like to trot out is "If you are doing nothing wrong - you have nothing to worry about" lol.

Also found this in a recent looking session - Nothing new here but just pointing it out.
377809
 

Elbo

pesky scooter kids git off ma lawn
@Minlak That Smart TV thing is terrifying. How complacent have we become to even allow a scenario like that to play out.
We bought a Thermomix a while ago and I opted for the previous model purely because it didn't connect to the internet. I didn't want my food processer even capable of automatic software updates or one day finding that certain functions are ransomed to a subscription service.

If you ask people, would you allow a 3rd party to open your snail mail, read it, slip a couple of coupons in based on what they read and close it up again, most would say no way; but that's Gmail in a nutshell. Most people clearly have no understanding of the power of consolidating minute packets of seemingly innocuous data over time, and defer to the 'if you've got nothing to hide you've got nothing to worry about' argument to hide their ignorance.

The big question that always remains for me is, how responsible is the user for their privacy when the device, apps and services are actively trying to obfuscate what the product actually is, or what they do with the data. Should the default be caveat emptor or caveat venditor, and why? Can you even have 'buyer' beware when most of the offenders are 'free' service based on the collection of freely given information.
 

Litenbror

Eats Squid
So funny one in our house at the moment, my wife is now getting targeted adds for knitting. When I was building my new wheel on the weekend we were laughing about how it was as finicky as knitting but with metal threads, now she is getting adds for knitting products :D
 

link1896

Mr Greenfield
The Samsung TV licensing agreement is almost as scary. Any images captured by the TV no longer belong to you is the gist of the agreement you irreversibly agree to the moment you open the outer shipping box.
 
Top