z3r0trust Privacy Newsletter #17

This article is also available in Spanish here.

“Privacy is not an option and it shouldn’t be the price we accept for just getting on the Internet.” — Gary Kovacs, former CEO of AVG Technologies

Welcome back to this most spooky Halloween, pre-election 17th edition of the z3r0trust Privacy Newsletter. In this segment, I take an a-political approach to several of the privacy developments that have emerged over the past month. There is much at stake in the 2020 U.S. Presidential Election at every level of government levels but this is a series about privacy, not politics. My aim is to help spread privacy and security awareness as we fight the good fight.

Privacy Rant

Freedom of speech is every American citizen’s right to express themselves freely under the First Amendment but some uneducated Americans don’t understand that there are, in fact, limits to what can be said. In the privacy of your own home, you can say whatever you like. However, should you decide to post comments publicly somewhere, say on the Internet, a newspaper, a magazine, or a book, they can’t be obscene, fighting words, defamatory (including libel & slander), child pornography, perjury, blackmail, incitement to imminent lawless action, true threats, or solicitations to commit crimes according to scholars from the Freedom Forum Institute. This is all fine in theory but it’s much harder to police speech online or in real-life. “We need a speech clean-up on Aisle 4 please.”

There are limits to freedom of speech just as there as limits to privacy when we’re in public. At home, you can be as private as you want. Draw those curtains, turn off the porch light, don’t answer the door, rev up that Virtual Private Network (VPN), and Tor Internet browser. In public, however, you cannot expect the same level of privacy will be afforded to you. For instance, if you want to ride on a city bus which is equipped with CCTV cameras for safety reasons then you must submit yourself to being recorded. The city is not going to care about your desire to remain private and not be surveilled. They only care about keeping their public transit system safe. Nevermind that the police can use that CCTV surveillance system to track people with facial recognition software.

It may sound contradictory coming from a privacy advocate like myself but consider these words carefully. There are certain types of surveillance monitoring that I agree with for the greater good of a free society. The kind of social media and Internet Open Source Intelligence (OSINT) monitoring performed by Law Enforcement Organizations (LEO) and Intelligence Community (IC) agencies like the FBI, NSA, CIA, DHS, and others is, dare I say, something of a necessary evil if we are to be able to live freely and continue our way of life without the constant fear of terrorism. It’s also going to happen whether we complain about privacy or not. We’re not going to change this or prevent it from happening. The infrastructure has been designed and built to monitor at an enormous scale, not just for Americans but globally.

That’s not always a bad thing though. If you are mugged at gunpoint by a mugger at the ATM, you probably agree that CCTV cameras are helpful in apprehending the suspect who ran off with your money. They are a massive invasion of personal privacy but there are good use cases, sometimes. If we can establish that some degree of surveillance monitoring is necessary for the interest of national security and public safety of the general public, then it also stands to reason that there have to be specific safeguards in place to protect our privacy so that this authority is not abused. That oversight, however, cannot happen when the Inspector Generals throughout the various government agencies are intimidated by a commander in chief that will fire them for investigating a whistleblower complaint. So, while I think there should be some level of surveillance, the entire system needs to be overhauled due to the ease with which it can be corrupted by senior government officials who are themselves quite possibly corrupt.

I see this argument as being very similar to the recent controversial call to defund police departments after the untimely death of George Floyd or the call to abolish ICE for their unethical treatment of illegal immigrants. I contend that doing either of these things would be a mistake because the chaos that would ensue after doing so would be even worse. Instead, I argue that what is needed to reform those agencies is stricter accountability laws that law enforcement officers are required to follow but that are actually enforced instead of just paying them lip service. Once word gets out that Jimmy from the 25th Precinct is serving a life sentence for unloading his service revolver in self-defense against a family of unarmed minorities, things will begin to change as it happens more frequently with consistent punishments. Defunding and abolishing these local, state, and federal government agencies in most cases will do more damage. But what does this have to do with privacy you ask? Bare with me…

Contrary to the belief of some folks, we really do need police to enforce the laws. Don’t make the mistake of thinking that communities will effectively police their own people. That has never worked. It will quickly devolve into he who has the most guns and is the most aggressive rules. We do not want that as a society. What is NOT needed are corrupt cops who abuse their authority, kill innocent people, and are not held accountable. Reform IS NEEDED to strip some of the authority from these organizations so that our privacy rights are not being constantly violated. It currently seems as though every police agency in America is using blanket geolocation search warrants for cell phone providers to target protestors, using Stingrays to intercept phone calls and data in which innocent non-suspect data gets exposed to police, and these police agencies are purchasing the use of third-party phone geolocation tracking services that are used to track Americans.

We need ICE to hunt down violent and criminal foreign fugitives who are in the country illegally. Do we need ICE agent task forces monitoring phones, automated license plate readers tied into CCTV surveillance cameras to track down undocumented immigrants? Immigration is a whole separate discussion but it does intertwine with privacy as the methods agencies like ICE and CBP use to track people violate not only the immigrants’ privacy but often that of ordinary Americans as well. There is an old saying that is often falsely attributed to the famous author George Orwell that says,

“People sleep peaceably in their beds at night only because rough men stand ready to do violence on their behalf.” ~Richard Grenier adapted from the author, George Orwell’s ideas

We need these “rough men” (and women) for the safety of our nation and our way of life whether that is the military, law enforcement, or some other agency. Some level of surveillance is needed but “some” is difficult to define and situationally dependent on numerous factors. However, it’s when it gets abused that I take issue with it and that is when every citizen should take issue with it by demanding reform from their elected officials. The problem always has been who will watch the watchers? This is an inherent flaw in the entire system of government. For every layer of bureaucracy that we create, there has to be some agency appointed to provide oversight. The short, unqualified answer is that no one is watching the watchers. I mean come on, there have been so many examples throughout history demonstrating this fact. The government exists to serve the people, let us not forget that. Somewhere along the way it has been adapted to also invent the need to spy on its own people to keep them “safe.”

If the government needs to spy on its own citizens to some extent to keep them safe, which I argue they do, then it is logical that whatever you post openly or do on the free internet is subject to monitoring not only by the Tech company who owns the services and infrastructure but also by the government and law enforcement authorities who have the unenviable task of trying to keep us all safe. It is the types of data that these entities are allowed to collect and what they do with it that we need to tightly control as the people who are being governed. We do that with our votes. Where it gets fuzzy is when these powers get abused and the types of monitoring used that I take issue with.

“A cell phone — almost a ‘feature of human anatomy,’ … tracks nearly exactly the movements of its owner. While individuals regularly leave their vehicles, they compulsively carry cell phones with them all the time,” the chief justice wrote. “A cell phone faithfully follows its owner beyond public thoroughfares and into private residences, doctor’s offices, political headquarters, and other potentially revealing locales….Accordingly, when the Government tracks the location of a cell phone it achieves near perfect surveillance, as if it had attached an ankle monitor to the phone’s user.”

Roberts said the courts could not look the other way at that intrusion simply because the way phones work requires sharing that information with wireless carriers.

“Given the unique nature of cell phone location records, the fact that the information is held by a third party does not by itself overcome the user’s claim to Fourth Amendment protection,” the chief justice wrote. “Whether the Government employs its own surveillance technology…or leverages the technology of a wireless carrier, we hold that an individual maintains a legitimate expectation of privacy in the record of his physical movements as captured through CSLI (Cell Site Location Information).”

Privacy is about having control over your private data, whether it be your Web browsing history or what you said in some anonymous chat room in 2002. We’re a long way off from having that level of control over our private data now but I offer that data retention is something we can control a bit more ourselves by limiting what we choose to put online in the first place.

“The government shouldn’t have any role in planting secret back doors in encryption technology used by Americans.” — Senator Ron Wyden, a leading Democrat on the Senate Intelligence Committee

There are endless soundbites about privacy from influential government officials but none of them seem to have been able to do anything meaningful to implement tougher privacy legislation.

Data Breaches & Privacy Exposures

The bookseller Barnes & Noble was the victim of a data breach on 10 October allegedly perpetrated by the Egregor ransomware gang. The attack disrupted the company’s online Nook eBook services and also temporarily disrupted their Point-of-Sale (PoS) system at some retail locations. Barnes and Noble released a statement via email (one that I also received personally) which said that customer email addresses, billing and shipping addresses, phone numbers, and purchase transaction histories may have been exposed as a result of the data breach. Evidence of the data breach customer data was verified on a Dark Web site known to be operated by the Egregor ransomware gang.

It is important to note that no online targets are off-limits. Cybercriminals and cyber threat groups will attack any target if there is some kind of payoff they are after. Increasingly, that payoff comes at the hands of a ransomware attack that is also a Denial of Service (DoS) attack. The defense against data breaches and their ensuing ransomware attacks is to reduce attack surfaces by uninstalling unnecessary applications and services from the computer operating systems, automatically patch software/firmware whenever possible, and monitor the event logs on the computer systems for anomalies.

The state of Georgia’s Department of Human Services suffered a data breach in which unknown attackers were able to compromise employee email accounts. The department took quick action to limit the effects of the attack by locking down accounts and blocking attacker IP addresses. However, the attackers were able to access several emails containing Personally Identifiable Information (PII) belonging to kids and parents involved in Child Protective Services (CPS) and the DHS Division of Family & Children Services (DFCS). The PII compromised in the emails was extensive including Social Security Numbers, full names, addresses, relationship statuses, phone/email addresses, dates of birth, psychological reports, counseling notes, medical diagnoses (HIPAA-protected), substance abuse information, and health insurance information.

A social networking app called True advertised to protect user privacy inadvertently left one of its data servers exposed on the Internet that was spilling private user data. True is owned by Hello Mobile, a lesser-known cellular service provider that operates using T-Mobile’s cellular network. The True app had an Internet-exposed database that was not password-protected which contained private user data. When contacted by TechCrunch, Bret Cox, the chief executive did not answer questions about whether it would do the right thing ethically and notify customers or regulators. This is the absolute wrong approach to take. Mistakes sometimes happen, admit your fault, own up to them, take corrective actions, and move on to improve for the next time it happens. There will be a next time… The focus needs to be on not only doing the right thing when a data breach occurs but also focus on secure application and website design which by default ensures greater data privacy.

Major Privacy-related Lawsuits

The United Kingdom’s data privacy watchdog, the Information Commissioner's Office, fined Marriott the equivalency of $23.5 million over their massive hotel chain data breach from March 2018 that resulted in the public exposure of over 339 million guest records online. The UK was able to map 7 million of the Marriott breach victims to UK citizens. To this day, U.S. authorities have yet to impose a fine on the hotel chain for the data breach that over 2.5 years ago but that hasn’t stopped international privacy watchdogs from imposing their own regulatory fines. One has to wonder what it will take for American lawmakers to enact similar legislation like the EU’s General Data Protection Regulation (GDPR) for Americans that impose similar penalties?

In case you wondering how much of a big deal government surveillance and Internet monitoring is in other countries, French authorities arrested five bar and cafe owners in the city of Grenoble this month for operating no-log WiFi networks at their establishments for patrons to use. A fourteen-year-old French law (i.e., law #2006–64) requires that all Internet Service Providers (ISP) collect and maintain WiFi network connection logs for at least one year. Authorities later released the establishment owners but this was obviously done to send a warning message to anyone providing free Internet services.

Google’s YouTube is facing a massive $3.2 billion class-action lawsuit for GDPR privacy violations involving five million UK children. The UK is still protected by the GDPR until 2021 but also has its own similar law called the UK Data Protection Act. The lawsuit alleges that YouTube targeted children for advertising purposes. Interesting, Google and YouTube didn’t learn their lesson in 2019 when the Federal Trade Commission (FTC) fined them $170 million for collecting the data of minors for targeted advertising purposes without parental consent which was a blatant violation of the U.S. Children’s Online Privacy Protection Act (COPPA).

YouTube thinks it is enough to put a disclaimer on their website that its platform is “not for children under 13.” As a parent who has created YouTube Kids accounts for my children so that they can entertain themselves with age-appropriate videos, there is a selection option when creating the account where you’re supposed to select the age range of the child. Whether a user account is created or logged in doesn’t matter, however, because YouTube like Google tracks everything any user does on their platform through browser cookies and other telemetry data that can fingerprint individual users. The problem here is that the fines being imposed are mere “chump change” for Tech giants like Google. $3.2 billion, however, is sure to demand their attention. Let’s hope it results in meaning privacy protection reform.

The Irish Data Protection Commission (DPC), is poised to deliver a ‘landmark’ GDPR decision that will set a new precedent for how Tech companies transfer data transnationally. The DPC has been investigating Twitter since early 2019 for a minor data breach in 2018 even before the Tech company suffered another high-profile breach in 2020. Twitter failed to meet the requirement of timely notification to users following the data breach which is specified under Article 33 of the GDPR. Interesting also is the fact that several Silicon Valley Tech giants have chosen to establish their global headquarters in Dublin, Ireland, due to their extremely low tax rates. Rather than pay much higher U.S. corporate taxes, companies like Google, Facebook, Slack, LinkedIn, Dropbox, and Zendesk, as well as plenty of budding startups have established their headquarters in Dublin. Not Twitter though, interesting enough. Twitter is based out of San Francisco, Silicon Valley. So, is this a privacy issue or an issue where Ireland is picking on an American Tech company that isn’t paying them any taxes and piping Irish Twitter user data out of the EU using non-agreed upon transfer protocols? Time will tell.

Privacy Legislation Developments

As evidenced by the International Association of Privacy Professionals (IAPP) map (above), several states in the U.S. are beginning to enact more stringent privacy legislation which should worry Tech companies like Facebook, Apple, Twitter, Microsoft, Google, and Amazon. They are likely to be spending a lot of time with their lawyers in court. Global research firm Gartner is predicting that by the year 2023, privacy regulations will increase from 10% world coverage to 65% coverage. The EU courts have struck down the EU-US Privacy Shield data-sharing agreement due to the U.S. not having adequate privacy regulations that equally protect EU user data. I think 2023 is an aggressive prediction but certainly, by 2025, I expect there to be a much greater level of privacy regulation implemented globally. People are angry over the loss of privacy and who the hell gave these Tech companies the right to collect and sell their private data?

In their latest act of defiance, the CBP has refused to tell Congress how it is tracking American citizens without search warrants. The CBP confirmed to the Senate that they have procured the services of Venntel’s location database to search for information collected from phones in the U.S. without any kind of court order. It is a sign of the times under the current political administration that a government agency belonging to the Department of Homeland Security (DHS) under the leadership of acting Secretary Chad Wolf feels confident enough that they can willfully ignore not only Congress’ demands for information on how it tracks Americans but also that it is openly violating the Fourth Amendment Constitutional rights as well. Note that Chad Wolf is not Senate confirmed as the Secretary of DHS, he is still acting which means that he was only appointed to this position by the White House.

Now, several senators on the committee to include Senators Wyden, Warren, Brown, Markey, and Schatz are asking the DHS Office of Inspector General (OIG) to investigate CBP’s warrantless domestic surveillance practices of phones to determine if laws are being violated. This is an obvious sidestep by CBP and DHS to the Fourth Amendment Constitutional rights Americans are afforded and must not stand. The DHS OIG will likely find that CBP’s surveillance practices are illegal but pressure from DHS and the Executive Branch will sway opinions. I predict that until new senior Executive Branch and DHS Secretary leadership is ‘installed’ by a matter of election and subsequent appointment and Senate confirmation, these egregious privacy violations will not cease.

The Facial Recognition System Saga Continues

In a bizarre story that serves to highlight the dangers of facial recognition technology when used inappropriately, surveillance startup company Verkada, was embroiled in its own inappropriate surveillance snafu recently when some employees working at their San Mateo, California, office used the company’s proprietary surveillance cameras that are coupled with the company’s facial recognition software called Face Search on fellow Verkada female employees in a harassing way and posting photo snapshots of them on a Slack channel.

Instead of terminating the employees involved after complaints were made to Human Resources, the employees were given the option of reduced stock options, removal of the Slack channel, or termination. Hmm, which option do you think they chose? Yes, they all chose to stay but were eventually fired by the CEO when the story went public. If the company that makes these surveillance technologies can’t even be trusted to use it ethically, how do you expect the universities, businesses, and law enforcement agencies they market their technology to do it either? As the saying goes, “Absolute power corrupts absolutely.” People in positions of authority will abuse their authority when presented with the opportunity, it is human nature. If we have learned nothing from history, we should have at least learned this.

App Privacy Exposure

Taking a page from the CBP and ICE playbooks, the Internal Revenue Service (IRS) has been harvesting location data collected by apps installed on mobile devices. The IRS Criminal Investigation (CI) unit has been tasked with investigating the illegal use of location data services by the IRS that are once again, provided by Venntel. The IRS unsuccessfully attempted to use Venntel’s location services database presumably to locate deadbeat tax evaders but the information was not in the Venntel database. Whether it was successful or not, however, it is still a violation of the law without a warrant. This type of government agency legal sidestepping has become endemic and must be stopped.

CBP bought global location service data access harvested from common apps that collect location data (e.g., weather or social media apps) of users who install them on their smartphones which provide real-time location data even beyond the U.S. borders. Unless you are a paranoid privacy-conscious person, chances are you that own a smartphone and it has lots of apps installed on it. Some of those apps are collecting your every movement. Companies like Venntel among others have created an industry around purchasing access to smartphone app location data for the purposes of tracking people in real-time by specific identifiers that show where the phone has been. Venntel has refused to answer questions as to whether it is collecting data beyond U.S. borders in Canada, Mexico, or Europe because they know that they will be subject to more stringent privacy laws for which they are in violation of. This is yet another example of how private companies are collecting your app user data without your permission and selling it to government law enforcement agencies.

The National Institute of Standards and Technology (NIST) has created a privacy technology competition worth $276,000 to the winner for whoever is able to design technology that makes it more difficult to trace large data sets back to individual users. Data tables can be obfuscated using encryption to help with secure design principles.

In yet another example of how basic electronic devices can be made into “smart” home Internet of Things (IoT) devices and abused to spy on you inside your own home, Israeli security researchers discovered that Comcast TV remotes can be hacked and used as a remote listening device for sounds within meters of the remote control’s location. This is potentially a massive invasion of privacy that Comcast will need to patch as soon as possible as over 18 million American households have Comcast as their cable TV provider. Other remotes like those that come with Apple TVs have microphones and allow users to ask “Siri” to find a TV show for them and Amazon sells remotes that work with Amazon Prime streaming services so that users can ask “Alexa” to find specific movies or programming. The ubiquity of Internet-connected, microphone-enabled devices makes hacking home WiFi networks and Tech companies spying on customers a much bigger threat than it should be.

Google Maps features include a Busyness feature that shows users real-time information on how crowded a place is before they arrive that while helpful during the pandemic is a bit creepy even under those circumstances. Google knows where people are in real-time, which stores they shop at, etc. So, even if you opt-out of using contact tracing apps, they can still use your phone’s location to warn others about crowded establishments or areas. What seems like a handy and convenient feature could also become a privacy nightmare in the wrong hands. As with all technology, there are usually good and bad applications of it that are possible.

The Googled-owned Waze app was found to have vulnerabilities that allowed an attacker to identify and track users. There are so many ways in which we can be tracked like cattle with smartphones. Apps are just one of them but the smartphone itself has its own location services feature that sometimes even still runs when it has been turned off. In other Google-related privacy news, it has removed the Nano Adblocker and Nano Defender apps from the official Chrome Web Store due to their collecting user data. The malicious code appears to have been added to these two apps after Google inspected the apps for initial hosting. Software code updates always run that risk. Now think of all of the apps you have installed on your smartphone and how many applications you have installed on your home laptops, desktop computers, smart TVs, and tablets… It is daunting to think about the attack surfaces that all of those apps represent on every device you own.

The controversial and secretive data-analytics company Palantir is developing a system called Tiberius in a sub-contractor capacity that will help the government track where it should send COVID-19 vaccines once they are available for distribution. This seems like a good use of technology as it will pair vaccine distribution with demographics based on age, gender, employment, and public health information to better distribute vaccines in a timely manner. However, despite Palantir’s claims that no PII will be used by the system, this is a company that has been known to operate in that shady, grey murky area with regard to human rights issues like privacy. It is a mistake to take anything Palantir says at face value.

Proctorio is an exam surveillance company that is used by colleges and universities to ensure students taking online exams do not cheat. Many educators and students have voiced strong concerns over Proctorio because of their unacceptable invasion of privacy. Proctorio even went as far as to file a copyright infringement lawsuit against the EdTech researcher, Ian Linkletter, who tweeted about how invasive Proctorio’s software was because it does use facial recognition software instead of just tracking eyeball or retina movement like other exam surveillance software. The company wanted to hush its critics and send a message to anyone else thinking about doing the same. Proctorio accused Linkletter of sharing confidential information about how to defeat the exam surveillance algorithm which jeopardizes the “safety and security of millions of students who use our platform.” Proctorio’s CEO, Mike Olsen, has used predatory tactics to intimidate students critical of his company’s software in the past.

In June of 2019, Vice uncovered the existence of a disturbing app that used AI to “undress” women. Called DeepNude, it allowed users to upload a photo of a clothed woman for $50 and get back a photo of her seemingly naked. In actuality, the software was using Generative Adversarial Networks (GAN), the gamification algorithm behind deepfakes, to swap the women’s clothes for highly realistic nude bodies so that it looks completely real. The more scantily clad the victim, the better the algorithm works. DeepNude purportedly doesn’t work on men which leaves no doubt as to who benefits from its use. As of July 2020, the bot had already been used to target and “strip” at least 100,000 women, the majority of whom likely had no idea that there fake nude images of themselves posted on Telegram.

“Usually it’s young girls,” says Giorgio Patrini, the CEO and chief scientist of Sensity, who co-authored the report. “Unfortunately, sometimes it’s also quite obvious that some of these people are underage.”

DeepNudes has been used to undress female minors as well, making it a tool of Child Sexual Abuse Material (CSAM) manufacturing. The human body is the same for the entire species of human, so an algorithm like DeepNudes only needs to find the specific body parts (genitalia) that are covered in a particular photo and replace them with a similarly toned skin color. It is not difficult to imagine how this technology works but it is very wrong for anyone to use such a tool and it has dangerous implications. In some cultures, the mere existence of a nude young woman could result in her being the victim of an “Honor” killing by her own family. The app is likely already being used as a form of revenge porn against girls and women.

ArsTechnica ran a piece this month that cited a study that looked at how link previews undermine the privacy of user data in various messaging apps (see chart below). Essentially, every time you post a link to a website on social media or a messaging app, the app has to go visit that site to render the preview image of the link which can open it up to malware, drain your device’s batteries, or suck up bandwidth.

As you might have guessed, I don’t recommend using ANY Facebook-owned apps (Messenger or Instagram) due to their prior track history relating to user privacy. My recommendation is to use Signal. WhatsApp uses the Signal End-to-End Encryption (E2EE) protocol but again, it’s owned by Facebook so all credibility and trust immediately go out the window. Oddly missing from the chart is Telegram, but it matters not because I still recommend using Signal over Telegram since Telegram has had several major flaws that had to be patched and due to their current issue with the deepfake bot that I previously covered.

Featured Privacy Tactics, Techniques, Tools, & Procedures

Librem 5 Secure Phone

For those paranoids that are not content with Apple iPhones, Samsung Androids, Microsoft Windows phones, BlackBerry phones, or Google Pixel phones, Purism is making the Librem 5 phone which is a “…phone that focuses on security by design and privacy protection by default. Outfitted with hardware kill switches and specially designed hardware, you are in control of the flow of information.” It’s currently on pre-order sale for $749. Some device specs are pasted below.

BeyondKrafty Mini-GPS-Tracker

I feature this mini-GPS-tracker tech as more of a warning to readers because it can be hidden in the smallest of places. If you suspect someone is tracking you, there is a chance that someone has installed one of these GPS trackers on your vehicle or in an object you travel with. They are reasonably affordable which means almost anyone can pick a few of them up for cheap.

Removing Nudes From Your Smartphone

If you’re an Apple iPhone user, deleting nudes from your iPhone is not as simple as pressing the delete button. Actually, it’s not that simple for Android or other types of phones either. Mobile device digital forensics software is capable of recovering deleted text messages, images, videos, call logs, app and browser history. With iPhones, if you have an Apple watch then you will need to unpair the Bluetooth connection first, backup your data to the iCloud, sign out of your Apple ID, delete all of your messages, and delete the photos and apps individually. Then you have to perform a factory reset of the iPhone to erase all content and settings before you can safely reconnect it to the Internet. *Note: if you want to permanently delete the nudes then I suggest deleting them prior to backing up your data to the iCloud. Otherwise, you run the risk of syncing it back to your iPhone later.

For Android phones, it is only a matter of temporarily disabling any type of remote sync setting, logging out of Google, and removing the account. Then you encrypt the device which will delete the pictures from your device so that any new user will not be able to recover them. Then you delete the nudes off your device and reenable your device’s sync settings. You could also do a factory reset to permanently delete all of the data on your phone but unless it is forensically wiped there are still tools and techniques that can be used to recover that data even after a factory reset. If you’re super-paranoid and want to defeat forensic tools, you could overwrite the memory on your device with new data just to be safe and then delete it all to free up space again.

Check Out the PRIVO iD Platform for Children

Parents looking for more privacy control of their kids’ mobile devices should check out PRIVO iD which allows parents to block engagement, validate a minor’s identity, obtain custodial consent when and where needed, as well as provide a one-stop-shop type of setup for parents to protect the privacy of their children on Internet-connected devices. The software will perform EdTech application privacy checks as well which I suspect some of the aforementioned EdTech apps might not pass.

Low-Tech Private Life Evasion & Anonymity Tip

Try for a moment to imagine your life without a smartphone tracking your every movement and use of it. Think back to simpler times when none of this technology existed. Was your life better before without this new technology or has the quality of your life suffered since you started using it? Think about whether the convenience of having a smartphone is worth the risks to your privacy. For some personal threat models, it makes sense. For others, perhaps not. Consider going without a cell phone for a period of time to see whether or not you really need one. Think of it as a personal privacy experiment. Will anything change or will life still go on as normal? Does not having a smartphone make you more vulnerable of being stranded somewhere without a phone? Would a burner phone work in those situations where the need is temporary?

These are all deeply personal questions that only you can answer for yourself but it is, to me at least, an intriguing thought experiment. We managed to get along fine before cell phones and smartphones which are now being manipulated to track us like animals on an endangered species list. For most people’s personal threat models, it doesn’t make sense to get rid of their smartphone. In fact, even my mentioning it is laughable to many technologists and privacy advocates. But you will never truly be private carrying a beacon device in your pocket that spills location data about you that is collected and sold.

That concludes the October 2020 edition of Becoming Virtually Untraceable. Until next time friends and remember to Trust No One. Verify Everything. Leave No Trace.

Additional Digital Privacy Resources:

z3r0trust Privacy Newsletters: 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, #4–20, #5–20, #6–20, #32–20, #33–20, #8–20, 16, 17, 45–20, 46–20

Web Anonymization Techniques 101 | EFFector | https://www.privacytools.io/

think bad, do good | cybersecurity & privacy engineering | keybase.io/d3structo

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store