The privacy issue is real and you can't solve it with just a VPN
Industry Insights By Viktor Vecsei | Posted on August 13, 2020
In the two previous posts in our series we have discussed even though mainstream VPN providers over-promise on their services, VPNs are useful and necessary tools for privacy protection. This third post looks beyond promises of VPNs to examine why and how sensitive data is accumulated of our lives, and what can we do about it.
In short, while some tools for surveillance resistance are useful to protect your privacy, we must take further actions to enact systemic changes.
Privacy is a new, but fundamental human concept
Ever since chimneys made fireplaces possible, the potential of having a private, safe space you can call a home fundamentally changed how humans relate to themselves and each other. Walls and closed doors shut out prying eyes, and the possibility of not sharing every detail of our lives strengthened our agency and helped individual thinking flourish. Having multiple devices connected 24/7 to the Internet in your home is dismantling this status quo, as intimate details of your activities are shared with those you don’t even know. Very little you do on your phone escapes monitoring by multiple entities, microphones are listening in on your home, while police have access to cameras looking at your front lawn. There is no escape from surveillance.
Privacy, as a commonly accepted social convention, was unknown a thousand years ago. Now life in a true, thriving democracy cannot be complete without it. Lacking privacy, the possibility of experimentation and progress become stunted because of chilling effects. Discrimination and human rights abuses face less obstacles. Long arms of a government following an authoritarian vision can label, locate, harass and discredit anyone not following an agenda. Profit driven data collection drives your profiling with information from multiple sources chained together - mapping out your past, monitoring your present, directing your future. We established in our earlier post even if you think have nothing to hide, those profiling you hold power over you.
Small breaches of trust set up large violations
Here is why the privacy issue is so hard to pin down: most actions that end up causing privacy violations happen ‘in the dark’ and without us realising their long-term effect. A piece of data collected is seemingly harmless - but small increments in loss of control set us up for an enormous leap in violations. Google storing thousands of personal data points on me? No problem, they are just building a better product. Facebook having hundreds of pictures of all your family members to train their machine learning algorithm? Everyone does that, it’s normal (no, they don’t, and it’s not).
Corporate entities whose business model rests on violating your privacy log your actions, thoughts, secrets and desires. They predict your future steps through these violations, nudging you into directions you might not explore by your own volition. Your government might get access to this information (perhaps in an ‘all access backdoor’ form) to use it as they please. Your credit score may tank, proper healthcare might go out of reach, you might not get that job or police just knocks on your door after a lawful protest - because of privacy violating profiling. Global crises offer a handy opportunity for shortcuts leading to normalization of privacy issues. This is not just a problem under authoritarian regimes, but becoming the norm in stable democracies around the world.
Information is power. But like all power, there are those who want to keep it for themselves.
Aaron Swartz
The slippery privacy slope we found ourselves on came about organically because of familiar forces that shape our world: money and power. Those raking in the cash and carry out invasive monitoring for control have no real incentives to curb their behavior. Capabilities and purpose are both aligned for effective tech companies in monopolistic positions and states with vast resources dismantling checks and balances. While the means are similar for the two groups, their goals are different.
For the former, monetisation of the behavioral surplus derived from personal information through advertising is the goal. For the latter, dragnet surveillance and bulk data collection provide insights to actions of their citizens, enabling effective monitoring and control. There is no reason to change the status quo: the scope of data collection will just keep increasing.
All watched over by machines of data collection
It was a daunting task for us even to contemplate the scope of data harvested from our lives for this post. How does this work in action? Where does data originate? Who is collecting it and what information they derive from it?
- On the micro-level, trackers collect individual data points from a distinct source and group it together, representing a sequence or a session
- Data processors and their partners trade, sell and acquire these batches for analysis and other use
- By correlating different data sets with matching pieces of personally identifiable information (email address, name, physical address, unique sequence of actions), companies and adversaries match them to your individual profile with high confidence. They create a chain of events that mirror your life spanning across days, weeks and years.
- For targeting purposes, the processors attach labels and flags to profiles that represent your household income, religion, political preferences, sexual identity and potentially a thousand plus other inferred data points.
- This information is then used to identify you for law enforcement purposes, to influence your vote or to target you with advertisements carrying the right content, at the right place, at the right time. This is happening with such precision that you might think platforms are now tapping your phone to figure out your intimate thoughts.
Where is your information leaking? While giving a complete picture is difficult, here are the key sources and channels where data derived from our actions originate and flow through:
| Source | Method | Information (sample) | Sensitive knowledge (e.g.) |
|---|---|---|---|
| Internet Service Provider, Cell Provider | Logging through DNS and deep packet inspection | IP address; websites visited; length of visit | Political affiliation, medical conditions |
| Online services and apps (incl. Facebook, Google) | Trackers in app; customer profiles sold | IP address, email address, location information, customer preferences, generated content | Political affiliation, groups you belong to, what you believe in |
| Websites you visit | Trackers on website; analytics services passing data | IP address, actions taken on website, device information, email address | Content preferences, medical conditions, ‘risky’ research |
| Mobile location | Collecting GPS, cell tower information | Location attached to device ID/phone number | Who you associate with, identity of friends, where do you work |
| Credit card purchases | Sharing purchase history | Date, vendor, item, amount | Travel habits, activism support, adult content consumption |
| Email provider | Scanning email content and selling insights | Email content analysis, contacts, metadata | Secrets, desires, purchase habits, travel habits |
| Health trackers | Logging and selling biometric data | Heart rate, workout habits | Health issues, private life |
| Connected devices | Collecting voice, device usage data | Search queries, apartment layout, consumption habits | Details on your home, private conversation with family |
| Out-of-home | CCTV, facial recognition, workplace monitoring | Date/time and location correlated | Where you are and when, travel habits, daily routine |
Selling in the context of ‘Method’ might mean used for monetisation and profit extraction within the same corporate ecosystem. Google and Facebook can safely say ‘We never sell customer information, we care about user privacy’. That is technically correct, but they sell your attention to the highest bidder using private information gathered from you across their different services. Google Analytics, for example, is present on 87% of the 10.000 most visited websites.
Change is possible, and it starts with you
There are concrete steps you can take today to protect your privacy first, then extend that change to help others do the same. As we discussed before, in most cases a VPN is not a sufficient solution to tackle privacy issues. To give you pointers for moving beyond one tool, we have collected what can you do to address the key problems:
| Source | Tools for resistance |
|---|---|
| Internet Service Provider, Cell Provider | VPN; Tor |
| Online services and apps (incl. Facebook, Google) | Use privacy respecting services; email forwarding services |
| Websites you visit | Ads and tracker blockers (extensions, VPN) |
| Mobile location | Turn off location sharing; selective permissions; burner phone |
| Credit card purchases | Card masking services; stick to prepaid cards, cryptocurrency or cash |
| Email provider | Use a paid email provider with no-logs policy and no ads (e.g. Tutanota) |
| Health trackers | Turn off logging and sharing; pick a product with privacy safeguards |
| Connected devices | Buy non-connected devices; ditch smart speakers |
| Out-of-home | Wear masks; support anti-FRT legislation. |
As you can see, using a VPN only solves one part of the entire issue, and partly helps with another. If you want to improve your privacy protection significantly, you need to do more.
Further challenges we cannot solve alone
Most issues can be mitigated or solved with tactics or tools, others are complex or hard to resist. Examples of issues with no simple solutions:
Device fingerprinting online
When visiting a website, the combination of the characteristics of your device, settings and browser information (e.g. user agent information, operating system, fonts and plugins installed) makes you unique and personally identifiable. You can use a browser that’s trying to counter this issue. Disabling JavaScript and using tools like Tails and CanvasBlocker might help. But in most cases, the more measures you take to hide yourself, the more unique your ‘fingerprint’ will become.
Mobile phone location based on cell tower data
To connect to your phone network, your device must communicate with cell towers that generate logs at your mobile provider. Burner phones are a solution, but in certain countries you cannot legally get a SIM card without a photo ID.
Facial recognition through police cameras, CCTV
Masks are somewhat efficient and you can buy gear designed for countering this threat, but there is no perfect solution.
Compromised hardware layer
Malware and backdoors in hardware you cannot trust are hard to detect and can cause leakage of sensitive data even if other layers are secure.
Services that don’t respect your privacy, but you ‘must’ use
If you cannot find suitable substitutes for Google Maps, peer pressure is too much for you to leave Facebook or other snooping services are mandatory for your work, your privacy will suffer.
Education, activism and resistance shows the path forward
To solve each problem above, you can go ‘off the grid’. If you are living in the woods without a phone or any connected device, typing the next activist manifesto on an air-gapped machine - no-one can violate your privacy. Most of us, however, wish to stay and take part in our communities without the pressure of surveillance, as free individuals who can choose what they share and who they share it with.
There is a small minority who won’t settle for the new data collection status quo. Activists, journalists, academics, lawyers and tool makers are working on uncovering issues, bringing those ‘steps in the dark’ to light. They piece minor violations together and apply pressure on those grinding their way to more money and more power. Their contributions bring on congressional hearings, privacy legislations, and creation of new tools of resistance. Here is what you can do to join this movement, start protecting yourself and further the bigger cause:
Education
Understanding the underlying issues better help put the problem into proper context and sets you off towards finding solutions. There are great resources on privacy issues, ranging from blogs through books to podcasts. We have published well-received privacy guides where you can start.
Activism
Experienced and motivated people actively work on privacy and surveillance related problems using technology, law and political channels. Join them and donate money or your time - start with Tor, EFF, NOYB and Tactical Tech.
Using tools of resistance
As highlighted above, you can counter various privacy harms by using tools designed for your problems. Use open-source and paid products, donate to their creators. The best place to find alternatives to your current setup is the PrivacyGuides website and their community. Techlore also has great guides (and a Discord channel) if video is your preferred format for learning.
Are you working on privacy enhancing tools and services? Contact us and we will do our best to amplify them.
Protecting personal privacy in the age of perpetual surveillance might seem like a Sisyphean task, but one thing to keep in mind is you are not alone in this. Many of us have similar needs, share your feelings of injustice and ready to work on solving the issues. Let us work together towards that future by using every mean available: education, activism that pushes for legislation, and building tools of resistance against this present day dystopia.
Illustrations displayed in the post are under public domain C00 license.
Suggest an edit on GitHub.