Difference between revisions of "PrivacyGroup"

From das_wiki
Jump to: navigation, search
(News: added chatcontrol NLP)
Line 14: Line 14:
[[File:Calvin-messing-with-data-2.jpg|size=400px|frame|An early insight from Calvin. [[Calvin_messing_with_data|Click for the rest]] ]]
[[File:Calvin-messing-with-data-2.jpg|size=400px|frame|An early insight from Calvin. [[Calvin_messing_with_data|Click for the rest]] ]]
* [https://theintercept.com/2022/04/22/anomaly-six-phone-tracking-zignal-surveillance-cia-nsa/ Contractor claims it can track 3 billion phones in real time]<span style="color:RED">NEW</span>
* [https://www.euractiv.com/section/data-protection/news/leak-commission-to-force-scanning-of-communications-to-combat-child-pornography/ Leak shows new Chatcontrol in the EU to include generalized scanning obligation to read every person's private texts] - The consequences of mistakes by suspicionless monitoring like this, whether automated or not, are different from the consequences of investigations that require some standard to be met (as current approach to the problem are).<span style="color:RED">NEW</span>
* [https://www.phoronix.com/scan.php?page=news_item&px=OpenSSH-9.0-Released Post quantum SSH] - Joins a growing number of important projects. Uses [https://ntru.org/ NTRU], which was the subject of some [https://csrc.nist.gov/CSRC/media/Projects/post-quantum-cryptography/documents/round-3/official-comments/NTRU-round3-official-comment.pdf controversy].<span style="color:RED">NEW</span>
* [https://theintercept.com/2022/04/22/anomaly-six-phone-tracking-zignal-surveillance-cia-nsa/ Contractor claims it can track 3 billion phones in real time]
* [https://www.phoronix.com/scan.php?page=news_item&px=OpenSSH-9.0-Released Post quantum SSH] - Joins a growing number of important projects. Uses [https://ntru.org/ NTRU], which was the subject of some [https://csrc.nist.gov/CSRC/media/Projects/post-quantum-cryptography/documents/round-3/official-comments/NTRU-round3-official-comment.pdf controversy].
* [https://techcrunch.com/2022/03/09/clearview-italy-gdpr/ ClearviewAI fined €20M by Italian data protection agency for GDPR violations] - Location and biometric data of Italians and people in Italy are "processed illegally."
* [https://techcrunch.com/2022/03/09/clearview-italy-gdpr/ ClearviewAI fined €20M by Italian data protection agency for GDPR violations] - Location and biometric data of Italians and people in Italy are "processed illegally."
* Several [http://government.ru/en/ Russian] [http://www.fa.ru/eng/ government] [http://en.kremlin.ru/ sites] are down in the wake of Russia's invasion of Ukraine - As of Thu 24 Feb 2022 10:32 AM -07 (MST).  
* Several [http://government.ru/en/ Russian] [http://www.fa.ru/eng/ government] [http://en.kremlin.ru/ sites] are down in the wake of Russia's invasion of Ukraine - As of Thu 24 Feb 2022 10:32 AM -07 (MST).  

Revision as of 12:55, 14 May 2022

This page is an effort to maintain an updated collection of important work on privacy. Recommend stuff from this page? Link to us!

Hooray! 100K 275K 300K 350K 400K450K views


Events in this calendar are to privacy-related events. Click an event for more details, and links.


An early insight from Calvin. Click for the rest

WYDEN: "Would you agree to inform Americans about any circumstances in which the Intelligence Community purchases their data, and the legal basis for doing it?"

HAINES: "...I would try to publicize essentially a framework that helps people understand the circumstances under which we do that, and the legal basis that we do that under."

Wyden's activities since the hearing reflect that Haines's answer to the question about transparency in this area was basically "no." It is unclear whether the framework Haines mentions is in the 2021 SIGINT annex to the DoD Manual S-5240.01-A, since that document is redacted.

Tools help

People often tell me they are unsure about which privacy-enhancing technologies to use, and how to set them up. Here are some suggestions.

secure hardware elements

operating systems

  • Qubes ...OK, not an OS... (also here is a brief description of getting wireless networking working)
  • Tails
  • OpenBSD - Great documentation, elegant base system, fast response to security bugs. Great for firewalls , for example, but also more and more suitable for general use.
  • Debian:
    • the machine-id is a more stable identifier than other things that could be used as stable identifiers. There are other ways to identify a machine, of course, but this one is stable and easy to get in a variety of ways. Resetting it is no big deal, though (and can be done without the "unpredictable consequences" mentioned without explanation in the link)! Follow these instructions. Devuan, a systemd-free fork of Debian, patched this. The instructions here assume systemd).

censorship resistance

  • Psiphon - I don't know how good this is yet. Here's a contributor talking about it at a previous CCC.

anonymous browsing


  • Tor Browser for everyday Use a second installation of the Tor Browser for everyday browsing without connecting to tor. Very actively maintained (better than regular FF); works great. Why do this? A big reason is TB has much, much better fingerprinting protection.
    • Related: Tor is one of the few browsers to block the prolongation attack that allows tracking using TLS. Test it here, (check under "Protocol Details" to see if "Sessions tickets" is yes.)
    • A fun and useful thing to do is build your own browser to scratch your own itch. For example, if you don't like some CAs after the DarkMatter fiasco, you might rip them out (just saying). It's unfortunately kind of annoying to figure out how to do it, but fortunately I've already done that: see here.
  • Changing search providers in Firefox and Tor Browser without 'search addons" etc. is an indefensible PITA. Here's how to do it: if you have rid yourself of the cruft that is the separate search bar to the right of the address bar---as all people of sound mind and good will have done---then temporarily add it in using the 'Customize...' option (right-click on an empty area to the right of the tabs to see 'Customize...', drag the search bar next to the address bar). Now go to a search engine site---currently I like searx, one instance is searx.me---, and click the magnifying glass icon with the green plus, then click "add 'searx.me'). Now go to your preferences (Edit->preferences, or Alt-E, N if you don't have a menu bar) and set your default search provider to the new one you added. Finally do the customize rigamaroll again, but drag the superfluous search bar off. Wasn't that easy?!
  • Why not Chrome/Chromium? -- It does have a sandbox, but it is also the most privacy invasive browser (of the major ones). Also Google controls the extensions for it, and they are sometimes unjust.

browser tools

these all work with Tor Browser, Icecat, or (vanilla) Firefox.

  • Firefox extension spoofing Google's FLoC! - FLoC's cohort IDs can be correlated to identify users. Rather than having server operators send an opt-out header, do your part as a user and send a random ID! (Note: Requires resetting the User-Agent to Chromium).
  • Try blackhole-ing tracking domains with this handy list, formatted for ready inclusion in your /etc/hosts file from the trackers listed in the Exodus ETIP (shoutout to the Yale Privacy Project contributions). Now visit a site and watch the 0B transfers flow.
  • Random Agent Spoofer (blocks a variety of fingerprinting attacks)
  • RequestPolicy (By Justin Samuel and Beichuan Zhang, of University of Arizona!)
  • NoScript
  • PrivacyBadger (EFF)
  • Self-Destructing Cookies
  • HTTPS Everywhere (EFF)
  • BetterPrivacy (removes LSO's -- supercookies -- which survive normal cleaning of cookie cache)
  • decentraleyes - runs CDN scripts locally, rather than using remote CDNs (which is trackable)
  • Privacy Settings (the plugin) -- Gives quick access to useful privacy settings in the browser, with toggle switches.
  • Update Scanner -- Useful for watching privacy policies for changes (since that is your obligation, as a continuing user of the site. Often such changes are not highlighted; only a new version is posted).

testing for problems

facial recognition


  • Matrix combines a zillion services into one - Not just more private, but more convenient. IRC, Slack, Signal, SMS, WhatsApp, Mastodon, Twitter, Discord, Tox, iMessage, and many more. Contact me if you'd like to use my instance, which supports many bridges.
  • OTR is not a great idea - OTR became well known after a few high-profile uses, but nowadays it's not a great idea. Biggest problem is forward secrecy, especially since quantum computing is not a question of if, but when. I disagree with one of the article's alternatives, Signal, since it's centralized and coerce-able, but some OMEMO implementations are OK (more on that soon).

other tools

  • Standard SKS servers for PGP keys are broken, use Hagrid servers instead - A good one to use to keep your keys up to date (see parcimonie, below) is keys.openpgp.org.
  • Security freeze for great good -- Prevent not just identity theft, but resale of your data by the Credit Reporting Agencies with a security freeze.
  • Keep your PGP keys up to date, privately -- Parcimonie updates your keyring over tor (catching revocations and expirations), at random intervals. It leaves open a connection to tor for a long time, so you may want to run it as a cron job and kill it after some interval.
  • anonymize scanned printouts from printers using tracking dots. From TUD, where lots of useful privacy tools have been created (kudos)
  • Protecting against baseband firmware backdoors, and provider backdoors-- A little outdated, but still full of good stuff. This is a comprehensive approach; for specific tools see below. EDIT: RIP Copperhead OS.
  • Silence SMS/MMS. Recommended -- Mark Zuckerberg says: "many people use Messenger on Android to send and receive SMS texts. Those texts can't be end-to-end encrypted because the SMS protocol is not encrypted." Well, I guess I wouldn't expect much understanding of privacy tech from Mr. Zuckerberg.
  • Noise is just like Signal, but without the hard dependency on Google Play Store. It is therefore better! But Silence is better still...
  • Get an RSS feed reader to keep up to date on privacy-related sites. For example *cough* subscribe to the PrivacyGroup's feed (It's good to use a secure RSS reader. For mobile there is Courier from The Guardian Project).
  • Youtube-dl -- Downloads a variety of streaming formats -- not just for youtube! Can be used with torify (see below) to anonymously view streaming video/audio that otherwise compromises privacy (e.g., flash). Note the version in packages is often not up to date--install the latest with pip to get a version that actually works.
  • Torify -- A SOCKS proxy to the Tor network, and a wrapper to use it, so you can e.g. look up GPG keys, or perform WHOIS queries, anonymously.
  • Get a GPG key
  • installing the latest GPG
  • Get a Gnuk token! -- Good way to do encryption in a protected dedicated device. You can buy them, or build them yourself
  • secure SSH

Other Sites with Tools for Protecting Your Digital Rights

Tools for Making Consent to Privacy Policies More Informed

Why care about privacy?


Giving up privacy

How universities can help



Privacy theme music!