In my last post on this topic I spent a lot of time talking about the changing nature of the marketplace around digital services, from search engines, to email, to social media, and it seems like we’re getting a continuously degraded experience. I directly ask the question:
“So if these platforms provide no value AND provide no privacy what incentive do I have to keep using them? Is the occasional funny cat video worth dealing with all the garbage while these platforms monetize me?”
Your answer to that question may be different from mine. Recently I came across a blog post from a security researcher who got very curious about how mobile apps use location data. We all realize that some apps, like Maps, obviously need our location to be useful to us. But a surprisingly large number of apps are constantly asking for our location and not always in the way you might expect. It is almost always tied to some type of ad tracking system. Where this becomes dangerous is when large analytics firms that collate this data, for advertising, then experience a security breach*. What’s more shocking is that for around $10k USD anyone can subscribe to one of these analytics firms and find just about anyone’s location if you know a little bit about them.**
Alright, so this is the practical post. How can we once again hide ourselves in the dark forest of the internet is a way that keeps us from being consumed by the savage beasts hunting for our data?
Step 1: Start with mobile. Your smartphone is always with you and always on. This is by far the greatest source of data about you. Verify your privacy settings to ensure that apps that don’t ever need your location information have access to it. Adjusting this setting won’t always guarantee apps still won’t have some type of access to your location via IP address and reverse DNS lookup. This is a common trick used by in app advertising. I am on iOS devices pretty frequently, so I use an app called 1Blocker. It has a free tier that allows you to choose one of it’s blocking types, but has a paid tier for $15/yr that unlocks all the filters. I find this a good value and very useful. Also, if you are on iPhone enable the Do Not Track setting. Its debatable how much companies actually respect this flag, but every bit helps. Make sure you also disable personalized ads wherever possible in iOS. Lastly, if you are an iOS user take some time to consider if enabling Advance Data Protection fits your threat model. iCloud ADP fully encrypts your data in iCloud which means only your trusted devices can access it. If you lose that device and have not properly setup a recovery option, Apple will not be able to recover that data for you. But in exchange for that risk, your data is fully secured from just about everyone.
Step 2: Ditch Chrome on the desktop/laptop. There are a lot of other web browsers that have the same or better performance and don’t force you to sacrifice privacy. I really like Firefox. Just watch out for some of the scam browsers that might be using the spare CPU cycles of your computer to mine crypto currency. I am looking at you, Brave. The upside of ditching Chrome is that most other browser still support ad-blocking extensions like uBlock Origin.
Step 3: Now I show you how far the rabbit hole goes. Did you know that you can search the web without using Google? Shocking, I know. And no, I am not talking about sad little Bing over there in the corner offering its little rewards. A few months ago I discovered SearXNG. Its an open source meta search engine built for better privacy and better results***. It aggregates results from other engines and sort of acts as a proxy for your queries, so you stay anonymized. If you are a power user you can even self-host an instance of it, but it’s probably easier to go to https://searx.space/# and pick an instance. I just opt for the fastest one. Its not as fast to return results as Google, but it’s close and it’s not overly burdened by algorithmic up ranking for advertising purposes. It’s pure, uncut web.
Step 4: Okay now the nuclear options. How good do you feel about hosting your own DNS firewall server? What’s DNS? Well that’s how a web browser translates a URL into an IP address and how to find it on the World Wide Web. Don’t be intimidated! This is much easier than it’s ever been. Thanks to a little application called Pi-hole****, you can easily run this at home. You can run in on wide variety of hardware or even virtualized. I won’t do a tutorial here. Others have covered it much better. Essentially Pi-Hole is a DNS server that you give a custom block list of sites that it then uses to drop web address requests sent my applications that may not respect your privacy and can even prevent malicious behavior. Head to https://pi-hole.net/ to get started. The other nuclear option is one that is kind of annoying. There is a browser plug-in called NoScript Security Suite*****. It’s been around for an extremely long time and it’s extremely powerful and granular. It takes a long time to tune because you must adjust settings for every site you visit. Almost all the modern web is built on JavaScript of some flavor. NoScript lets you intercept and prevent that JavaScript from running unless you say so. This is really an advanced approach and I do not recommend it unless you have the extra time to tune it and understand enough about how websites work. With NoScript enabled a lot of websites will initially look very broken, until you go in and enabled functions one by one.
Let me know if you have other practical steps you like to take to improve your privacy. Several sites, including Wired, have recently updated and revised their privacy guides and I highly recommend checking them out. Maybe that can be your first SearXNG web search?
Sources:
*https://timsh.org/tracking-myself-down-through-in-app-ads/
**https://www.404media.co/hackers-claim-massive-breach-of-location-data-giant-threaten-to-leak-data/
***https://docs.searxng.org/
****https://pi-hole.net/
*****https://noscript.net/