PrivacyGroup: Difference between revisions

This page is an effort to maintain an updated collection of important work on privacy. Recommend stuff from this page? Link to us!

Hooray! 100K 275K 300K 350K 400K450K500K views (internal page counts were reset)

News

An early insight from Calvin. Click for the rest

• ICE gains access to Paragon's mobile device infection and exfiltration tools - Tools designed to compromise phones and exfiltrate messages from messengers like Signal now available to ICE. NEW
• Peter Thiel, other Tech CEOs Commissioned as Lieutenant Colonels Thiel heads Palantir; see previous item.
• US gov't installs vast surveillance infrastructure with Palantir - Rationale in EO 14243 is "data sharing" across agencies. When surveillance infrastructure is created by the Executive, history has shown, repeatedly, that it will be used in increasingly expansive and abusive ways.
• Google again found to be a monopolist - Judge in case brought by DoJ and coalition of states finds Google liable for “willfully acquiring and maintaining monopoly power” in ad exchanges, paving the way for an argument for a breakup. This adds to separate finding that Google is a monopolist in online search (see below).
• Mark Klein has Died - Whistleblower at AT&T revealed the information that led to the the Room 641A scandal. Whistleblowers of conscience like Klein, who are "at the coal face" implementing bad policy, are often highly impactful.
• Google Removes Black History Month, Pride, and Other Cultural Events from Calendar - Framadate is an alternative for arranging events with others without endorsing this.
• FBI warrantless backdoor searches of 702 data ruled unconstitutional
• Google Authenticator a Pretext for Collecting Data - This is reminiscent of Facebook and Twitter collecting a phone number for multi-factor auth., then using it for marketing (the FTC was not amused).
• New Quantum Attack on Cryptosystems We All Rely On - The important bit is that 22-bit RSA is broken. The small key used here is not reassuring, given how scaling works with quantum networks.
• Google violated antitrust law with search monopoly - Google "is a monopolist, and it has acted as one to maintain its monopoly," U.S. District Judge Amit Mehta said. This might explain why Google holds 90-95% of the search market, despite plummeting search quality (see also item immediately below).
• DOJ Public Filing of Internal Google Emails Shows Push for "Engagement Hacking" at Expense of User Experience -- "There was a good reason our founders separated search from ads. Are you guys signing up for this?" (p. 7). They did sign up for it, and the former head of Ads is now head of Search.
• FISA Reform Bill Debated in House Rules Committee - FISA may not be renewed at all, after revelations of over 278K illegal queries of US persons from the FBI, including searches for political protestors and supporters of congressional candidates. This hearing is about keeping FISA, but reforming it. HPSCI members, who are partly responsible for the failure of oversight, argue against a warrant requirement.
• 43 state Attorneys General join a letter urging strengthened privacy protection for children - This is a response to the FTC's request for comments on COPPA, which the AGs and the FTC both enforce.
• Haugh nomination hearings for Director of NSA @ 01:02:22 Timothy Haugh affirms that the NSA will not weaken encryption technology used by Americans. In written response submitted later, Haugh also says weak standard for search of 702 data for Americans is fine, need not be strengthened to probable cause like EO 12,333 data.
• Intel GPU drivers collect telemetry - Includes information on which websites you visit, "how you use your computer," and on "other devices in your computing environment." NVIDIA does the same thing, without an opt-out.
• TETRA standard for radio communications encryption has had serious flaws for years - Article notes reliance on the standard across government, but does not mention secure radio's importance to drug cartels . Disclosure was held back since the flaws' discovery in 2021.
• Facebook solicited NSO Group for tools to track its users - Facebook offered a VPN, then sought to analyze web traffic from those who used it.
• Gigabyte motherboard manufacturer caught with firmware backdoor - Continues tradition of Lenovo and Supermicro.
• Indian Gov't Bans 14 Mobile Messaging Apps - Scope of the ban across India is unclear. List includes Briar, Element, and Threema.
• House Committee on the Judiciary Discusses FISA Reauthorization - 15 years later, far-reaching changes to surveillance brought by the FAA in 2008 originally justified as a temporary response to immediate terrorist threats are up for a third temporary reauthorization. Hearing focus is on FBI. PCLOB aims to provide a report by this summer (@1:26:55).
• ODNI To Release Report on US Intel Practice Of Purchasing Data Collected by Private Companies - Data in question includes sensitive data on Americans. DNI Avril Haines convened a panel on the issue, which produced the report. No word on the "framework" Haines proposed at her confirmation hearing when asked about the same issue (see below).
• Google plans to locate your phone even when it is powered off - Snowden revelations revealed the NSA has been able to do this since at least September 2004. When Privacy International investigated it then, Android's head of security said it might be accomplished by compromising the baseband firmware (he had previously worked at NSA). (here, at 23:51)
• Swedish government advises against using Zoom - eSam, comprising 34 Swedish government organizations, concludes that privacy and security risks are prohibitive, and recommends Nextcloud instead.
• Supreme Court declines Wikimedia Fdn. challenge to NSA mass surveillance - At issue in particular was the upstream collection programs. FISA is up for renewal this year.
• Many cars are connected to services managed through the web. The security for the sites providing interfaces to those services is not great -- List includes Kia, Honda, Infiniti, Nissan, Acura, Mercedes-Benz, Hyundai, Genesis, BMW, Rolls-Royce, Ferrari, Ford, Porsche, Toyota, Jaguar, Land Rover, and Spireon (Fleet Management for Police, Ambulance, Truckers, and Private Firms)
• Google settles with DC AG for peanuts - Far more significant is the change in how location permissions apply across range of Google services (see below).
• CCC members bought US military biometric devices from pre-withdrawal Afghanistan on eBay, found them encrypted with default passwords - This is dangerous for Afghans in the database.
• European Data Protection Board rules that GDPR's "contractual necessity" does not mean that Meta is allowed to track users so long as they add a line about doing so in their ToS - Ruling overturns the Irish Data Protection Commission's earlier decision.
• Google makes location permissions silently apply across broad range of Google services - New uses of location data can only be guessed, but an expansion of use seems likely, and would happen without further consent across all google.com sites.
• Statement of Support for Jacobs-Davidson Amendment to the NDAA - Jacobs-Davidson requires disclosure of unclassified information about DoD purchase of data that would otherwise require a court order.
• CNIL fines Discord Inc €800K for violating GDPR
• San Diego Approves Ordinance Requiring City Council to Approve Surveillance Technology with Input from Community Members Movement began when a network of 3,000 cameras was installed by San Diego PD.
• Netherlands bans the use of current versions of Google's email and cloud services in the education sector. Denmark has done the same, expressing "serious criticism and banning Google Workspace." Perhaps it is time for a more user-operated Internet for education.
• UK joins Italy in large fine of Clearview AI - In addition to Italy, "[a]uthorities in Australia, Canada, France, and Germany have reached similar conclusions" about Clearview's privacy violations. The UK's information commission worked with its Australian counterpart for the investigation.
• Leak shows new Chatcontrol in the EU to include generalized scanning obligation to read every person's private texts - The consequences of mistakes by suspicionless monitoring like this, whether automated or not, are different from the consequences of investigations that require some standard to be met (as current approaches to the problem do).
• Contractor claims it can track 3 billion phones in real time
• Post quantum SSH - Joins a growing number of important projects. Uses NTRU, which was the subject of some controversy.
• ClearviewAI fined €20M by Italian data protection agency for GDPR violations - Location and biometric data of Italians and people in Italy are "processed illegally."
• Several Russian government sites are down in the wake of Russia's invasion of Ukraine - As of Thu 24 Feb 2022 10:32 AM -07 (MST).
• Zoom appears to be accessing the mic in the background - Reports are from Mac users with the Zoom app open, but not in any call.
• CNIL fines Google €150M - Design of consent UI on youtube.com and google.fr is too dark pattern-y, they say (basically). The full list of sanctions from CNIL is here.
• Four US attorneys general sue Google over privacy claims
• Investors representing US$8.7T+ in assets call for Internet regulation supporting privacy rights for Europeans
• FBI uses foreign nationals to circumvent restrictions on domestic surveillance - EO 12,333 prohibits US intelligence from this kind of "indirect participation" in prohibited activity. I don't know if there is a similar ban for law enforcement being sidestepped here.
• Russia officially blocks Tor - Also a few new VPNs have been blocked.
• In honor of privacy week - A poem by W.H. Auden
• Post Quantum Curl - Of course, there are other problems with TLS, but this is part of a vanguard of postquantum support (e.g., wireguard, too).
• Chaos Communication Congress cancelled - 37C3 will await winter 2022, due to COVID-19 concerns. (No word on a possible r2C3 There will be an online event, it seems).
• Australia passes far-reaching surveillance bill in 24 hours - Australia is also home to a law backdooring its companies' encryption (e.g., Atlassian), which privacy and security experts in the US have fought since the first cryptowars in the 90s.
• 7K people, including some well-known researchers and activists, sign a letter against Apple's client-side monitoring framework - No "All Writs Act" defense will be possible for Apple with this framework already in place, unlike the Boston Bomber case. Similarly, governments in important markets will see a tempting tool for monitoring dissidents and other forms of social control, and Apple has a hard time saying no to them.
• The Grand Chamber of the European Court of Human Rights has ruled that some of UK mass surveillance law violates Articles 8 and 10 of the Convention - Nice discussion of relevant domestic (UK), international, and EU law, with a section on comparative law and practice. Applications were made right after the Snowden revelations in 2013; the judgment came in May 2021.
• Daniel Hale, whistleblower on US drone warfare, sentenced to four years - Out of eleven prosecutions of leakers under the Espionage Act all-time since 1918, seven have come in the last three administrations.
• Wide-area Persistent Surveillance in Baltimore ruled unconstitutional - Continues the ongoing history not just in Baltimore, but around the country. Search "persistent" on this page.
• Internet Archive is 25 years old today! - A wonderful public service, worthy of a birthday present
• Leak shows NSO group's mobile device infection and exfiltration tools are used globally to spy on and harm journalists, judges, political opponents - 50,000 phones were revealed to have been attacked, but any phone with iOS and Android is vulnerable, including those kept updated.
• "Chatcontrol" in the EU breaks messenger protections to search for child abuse content - In the EU privacy is a derogable right; this is a derogation. Too broad, as it scans everybody; and too narrow, as there are plenty of messengers that cannot be broken in this way.
• State challenge to Census's privacy protections rejected - A federal court has rejected Alabama's challenge to the Census's use of Differentially Private mitigation techniques to protect its released data.
• Reality Winner released from prison - Winner was charged for revealing the US government's conclusion that Russia had attempted to interfere in the 2016 presidential election. The role of the public interest in truthful revelations by whistleblowers is at the heart of recent controversy over an unprecedented increase in use of the Espionage Act against them.
• Colorado passes a new privacy law, similar to California and Virginia's - The link has the state of play in other states.
• Big brother awards for 2021
• Several DoD agencies appear to be purchasing commercial data that they cannot otherwise obtain on Americans - This letter is a follow-up letter by Wyden; it implies something interesting in the five responses to his original letter that he was not allowed to share with the public. DNI Avril Haines's confirmation hearing back in January included this exchange @01:37:30:

WYDEN: "Would you agree to inform Americans about any circumstances in which the Intelligence Community purchases their data, and the legal basis for doing it?"

HAINES: "...I would try to publicize essentially a framework that helps people understand the circumstances under which we do that, and the legal basis that we do that under."

Wyden's activities since the hearing reflect that Haines's answer to the question about transparency in this area was basically "no." It is unclear whether the framework Haines mentions is in the 2021 SIGINT annex to the DoD Manual S-5240.01-A, since that document is redacted.

• Uber tracked taxi drivers who went to protests, and fired them
• Remote code execution vulnerability found in Zoom - Affects the app, not web-based access. Zoom is considered harmful.
• Google apps' data collection is embarrassing to them - Quietly collecting this much on users' every move works better than doing so openly, so they fought Apple's demand for transparency.
• Signal blocked at the ISP level by Iran - Centralization is a design weakness, and Signal defends its centralization aggressively. Consider Briar, deltachat, or Matrix chat (which combines many services) instead.
• University of Arizona Privacy Statement page is rife with trackers - Report a concern here
• AZ Supreme Ct. rules Internet users have no reasonable expectation of privacy for the information available to their ISPs - No warrant required means the risk to privacy for ordinary, innocent people increases. Fitting a pattern, a case about child exploitation is leveraged for wide impact. See tips below on using Tor or VPNs to secure your information from your ISP.
• 4th Circuit Ct of Appeals to take up challenge to use of Military Wide-Area Persistent Surveillance technology in Baltimore - Increasing use of WAPS is mentioned below multiple times; this is part of a history.
• WhatsApp pulls a switcheroo - Facebook (owner of WhatsApp) now gets your phone number, among other things.
• Police Departments around Tucson now do have agreements with Ring - See below for earlier news on this. An up to date record of police requests for video from private users of Ring doorbells here
• Apple's official guide to avoiding abuse of iOS features - Addresses problems of stalking, IPV, and other cases where personal safety is at risk.
• Mozilla argues against antitrust Google case - Not mentioned, but by now well-known: Mozilla gets the lion's share of its funding from an arrangement to have Google as the default search engine in Firefox.
• Key protecting Intel microcode extracted - These guys used their Intel Management Engine exploit to do it, which is mentioned below from a few years back (they presented it at Blackhat 2017).
• "Justice Department Sues Monopolist Google For Violating Antitrust Laws: Department Files Complaint Against Google to Restore Competition in Search and Search Advertising Markets" - That's the title. New issues compared to the FTC's look back in 2013, which involved five Attorneys General disjoint from the eleven cited by DoJ.
• GPG has an important update - Affects versions found in most package managers.
• EARN IT Act passed Senate, introduced into the House - EARN IT attempts to weaken encryption for US companies who want liability protection under 230; opens politicians who opposite it to the charge they're on the side of child predators. A similar bill, the Lawful Access to Encrypted Data Act, is more honest.
• Internet archive sued - Publishers sue during the pandemic to shut down an organization that tried to help. Thanks a lot, guys!
• Military aerial surveillance technology deployed in Baltimore - High resolution, persistent capture of images of large areas of a city. Developed for use in Fallujah, brought to Dayton, OH and Baltimore, MD pbs coverage, Radiolab on the first time this happened, PSS, a company doing WAPS
• List of third parties with which Paypal shares payment information - Used to be around 600 names; I haven't counted the updated numbers
• Transparency report about records collected under 702 has been released
• Facebook makes suckers lists easy - FB allows targeting based on interest in "pseudoscience," is called out on it, and takes it down, completing a cycle that has repeated many times before (see: targeting "jew hater").
• Police Departments around Tucson appear not to have agreements with Ring - See above
• 77 day extension passed for the USA FREEDOM Reauthorization Act kicks the can to May 31st.
• Recent dust-up over FBI access to databases of records collected under 702.
• Wireguard to be included in the next Linux kernel
• Private Internet Access (PIA) is now owned by a company with questionable past - The company, formerly called Crossrider, was responsible for scads of adware.
• Startpage.com is now owned by an advertising company - Tough to trust them in the future. Consider search.disroot.org
• The trouble with Cloudflare. Blocks Tor, blocks bots (even good ones), MiTMs connections and can break TLS. Unknown history with DHS following overtures to Cloudflare's previous incarnation, Project Honeypot.
• Dropbox has updated their privacy policy Check it out if you use it (I don't, when I can avoid it).
• OSTIF will audit Unbound DNS
• HTTPS interception -- Around 15% of HTTP connections over TLS are being intercepted, according to the traffic sample (about 10%) visible from Cloudflare. Maybe the green lock should turn orange-ish?
• Mark Zuckerberg's "Privacy-Focused Vision" -- "Privacy gives people the freedom to be themselves and connect more naturally, which is why we build social networks." FB was built not for your freedom, but to make money selling ads. Confidential messaging makes you feel safe, but all of FB's bad privacy practices are made more effective by that feeling, not less.
• Breach of Amadeus affecting millions of airline travelers.
• Londoners on the perpetual line-up -- Being "in public" seems to have an evolving meaning. See also the US.
• Report on the mistakes leading to the Equifax breach of 148 M records -- From the House Committee on Oversight and Government Reform. Makes you wonder if banks (and others) might compete on being less profligate "furnishers" to CRA's---maybe discriminating among CRAs by their security and privacy practices (Equifax got 0 out of 10 for these from the financial index provider MSCI here). I'd prefer a bank that did that.
• AI Now Institute issues an "urgent warning" about privacy threats from AI. -- The article and warning are problematic, but there is this bright spot from the news article on it: "'artificial intelligence' — an umbrella term that includes a myriad of both scientific attempts to simulate human judgment and marketing nonsense"
• McSweeney's End of Trust issue is available free from the EFF (but do support them for creating this great work)!
• Tim Berners-Lee's Solid project is maturing; there is now a start-up (Inrupt) developing it
• Google's deceptive location tracking under investigation by the AG in Arizona.
• California joins Illinois as among the most privacy-protective states in the US.
• IEEE is also against exceptional access
• Big privacy win in Carpenter v. U.S.
• James Clapper and James Comey make appearances to promote their books. Jim Comey is on Conan, James Clapper is on 1A on NPR (44:10 is funny), and All Things Considered on NPR.
• Spate of leaks: Grindr (which, with OPM breach, could lead to blackmail of government employees, not unlike Ashley Madison); Panera Bread; Facebook; Myfitnesspal. Consider giving an alias rather than a real name to services online (which is perfectly legal, as long as you don't use it for fraud), spamgourmet.com for addresses, privacy.com for credit cards
• Privacy fundraiser underway where DuckDuckGo will match donations!
• Mixpanel analytics, present on a zillion sites, takes in passwords on some of them
• Carpenter v. US, a SCOTUS case in which the government is arguing that owning a cell phone means your physical movements can be tracked, is now underway.
• Extent of AT&T is greater than expected (billions of emails, all communications at the UN headquarters, 1.1 billion domestic call records per day, etc.). This is all from further study of the Snowden revelations, it looks like.
• European court of human rights to rule on UK surveillance. -- Includes claim that only "sentient examination" of data violates privacy. See the NSA on 'collection' for a similar argument.
• Arbitrary code execution on the Intel Management Engine, probably! (talk is upcoming)
• DoJ says it wants to take tougher measures with technology companies whose encryption is not backdoored -- The measures they plan to take are not specified. Negotiation hasn't worked, they say.
• DHS plans to collect social media info on all immigrants, including naturalized citizens and green-card holders
• ISO rejects NSA crypto.
• Equifax loses trove of highly sensitive data
• CIA head Mike Pompeo wants bulk metadata collection back
• Germany considering fingerprinting children and spying on personal messages.
• GnuPG is running a fundraising drive. Give them a little money; their product helps people all over the world!
• US ISPs can now sell data that their subscribers send across their lines. Oh well; we should buy the records of our members of congress to thank them
• Lavabit returns. How does it compare to protonmail, or mailpile? Let me know; I haven't looked into it.
• All US visitors from Muslim majority countries soon may have to give up social media passwords to enter Given rapidly eroding rights at the border, everyone should see what you can do at the link in this section below
• WhatsApp has an in-effect-backdoor by default. The justification for failing to provide security by default is that "otherwise people might not use it," ignoring that run-of-the-mill users of WhatsApp might falsely believe that promises of end-to-end encryption for their messages means that those messages cannot be intercepted.
• Google and government, via the Google Transparency Project. Google lobbies to influence policy to reduce consumer privacy. This article also discusses the NSA-Google relationship.
• Riseup warrant canary expires, Riseup is alerted, but the canary is not updated.
• FBI now can compromise computers outside the jurisdiction of the court issuing the warrant, including overseas.
• Trump pick for CIA head, Mike Pompeo, says in the Wall Street Journal that "the use of strong encryption in personal communications may itself be a red flag" that a person is a terrorist.
• Extreme surevillance via "Snooper's Charter" is now law in the UK. Among other things, requires internet providers to log websites that their customers connect to.
• FCC requires customer opt-in for ISPs to share "sensitive data", opt-out for "other" data. Previously there was no regulation)
• be wary of dictionary sites (dictionary.com, merriam-webster.com). They have high concentrations of trackers -- Part of the "What they Know" coverage in the Wall Street Journal.
• Tucson Police Department has a "Freedom on the Move" Camera, uses it to monitor anti-islamophobia protest on U. Arizona campus (By Tucson-based Strongwatch)
• James Comey tapes his laptop camera, thus creating a "warrant-proof camera."
• Head of FTC won't use fitbit b/c of privacy worries
• Cybersecurity Sharing Act added at the last minute to a 2K page omnibus spending bill
• police and drone use in Baltimore
• U.N. Report on Encryption as a right. "... [T]he present report examines two linked questions. First, do the rights to privacy and freedom of opinion and expression protect secure online communication, specifically by encryption or anonymity? And, second, assuming an affirmative answer, to what extent may Governments, in accordance with human rights law, impose restrictions on encryption and anonymity?"
• CMU study supports that Google cannot police abuse of its ad system, resulting in violation of privacy
• CEO of Hacking Team interviewed on BusinessInsider

Tools help

People often tell me they are unsure about which privacy-enhancing technologies to use, and how to set them up. Here are some suggestions.

secure hardware elements

• Set up FIDO U2F
• Set up an OpenPGP smartcard

operating systems

• Qubes ...OK, not an OS... (also here is a brief description of getting wireless networking working)
• Tails
• OpenBSD - Great documentation, elegant base system, fast response to security bugs. Great for firewalls , for example, but also more and more suitable for general use.
• Debian:
  • the machine-id is a more stable identifier than other things that could be used as stable identifiers. There are other ways to identify a machine, of course, but this one is stable and easy to get in a variety of ways. Resetting it is no big deal, though (and can be done without the "unpredictable consequences" mentioned without explanation in the link)! Follow these instructions. Devuan, a systemd-free fork of Debian, patched this. The instructions here assume systemd).

censorship resistance

• Psiphon - I don't know how good this is yet. Here's a contributor talking about it at a previous CCC.

• Lantern - Broadly on the PeekABooty model. For censorship circumvention; not anonymity. Old code, but new distributed binaries in git makes it difficult to trust.
• Tor (see below)
• Mullvad VPN -- A good vpn. Update: they've been audited by Cure53, with good results.
• OpenVPN's latest version was audited, which helps with trustworthiness -- If you run your own VPN (which is easy), this is a good reason to make sure you're using 2.4.2 or better (I had to compile from source, as the packages aren't up to date). Update: Wireguard is a better choice, nowadays.

anonymous browsing

• Set up an alias, with associated accounts. This is perfectly legal as long as you don't use it for fraud, as Julia Angwin notes in her article for Consumer Reports.
• Tor -- I suggest subscribing to the RSS feed of the blog of the Tor project to be sure you stay up to date.
• Also who uses Tor?

browsers

• Tor Browser for everyday Use a second installation of the Tor Browser for everyday browsing without connecting to tor. Very actively maintained (better than regular FF); works great. Why do this? A big reason is TB has much, much better fingerprinting protection.
  • Related: Tor is one of the few browsers to block the prolongation attack that allows tracking using TLS. Test it here, (check under "Protocol Details" to see if "Sessions tickets" is yes.)
  • A fun and useful thing to do is build your own browser to scratch your own itch. For example, if you don't like some CAs after the DarkMatter fiasco, you might rip them out (just saying). It's unfortunately kind of annoying to figure out how to do it, but fortunately I've already done that: see here.

• Changing search providers in Firefox and Tor Browser without 'search addons" etc. is an indefensible PITA. Here's how to do it: if you have rid yourself of the cruft that is the separate search bar to the right of the address bar---as all people of sound mind and good will have done---then temporarily add it in using the 'Customize...' option (right-click on an empty area to the right of the tabs to see 'Customize...', drag the search bar next to the address bar). Now go to a search engine site---currently I like searx, one instance is searx.me---, and click the magnifying glass icon with the green plus, then click "add 'searx.me'). Now go to your preferences (Edit->preferences, or Alt-E, N if you don't have a menu bar) and set your default search provider to the new one you added. Finally do the customize rigamaroll again, but drag the superfluous search bar off. Wasn't that easy?!

• Why not Chrome/Chromium? -- It does have a sandbox, but it is also the most privacy invasive browser (of the major ones). Also Google controls the extensions for it, and they are sometimes unjust.

browser tools

these all work with Tor Browser, Icecat, or (vanilla) Firefox.

• Firefox extension spoofing Google's FLoC! - FLoC's cohort IDs can be correlated to identify users. Rather than having server operators send an opt-out header, do your part as a user and send a random ID! (Note: Requires resetting the User-Agent to Chromium).
• Try blackhole-ing tracking domains with this handy list, formatted for ready inclusion in your /etc/hosts file from the trackers listed in the Exodus ETIP (shoutout to the Yale Privacy Project contributions). Now visit a site and watch the 0B transfers flow.
• Random Agent Spoofer (blocks a variety of fingerprinting attacks)
• RequestPolicy (By Justin Samuel and Beichuan Zhang, of University of Arizona!)
• NoScript
• PrivacyBadger (EFF)
• Self-Destructing Cookies
• HTTPS Everywhere (EFF)
• BetterPrivacy (removes LSO's -- supercookies -- which survive normal cleaning of cookie cache)
• decentraleyes - runs CDN scripts locally, rather than using remote CDNs (which is trackable)
• Privacy Settings (the plugin) -- Gives quick access to useful privacy settings in the browser, with toggle switches.
• Update Scanner -- Useful for watching privacy policies for changes (since that is your obligation, as a continuing user of the site. Often such changes are not highlighted; only a new version is posted).

testing for problems

• Check whether you have "safe browsing" features turned on. -- Firefox sends 32-bit prefix hashes of your URL to Google as a "safety" measure. I don't recommend using this (and related) features, since the problem with Google is bigger than the security one this mechanism is trying to solve. So if you get a warning visiting this page, investigate how to turn off "safe browsing" features here.
• new fingerprint checker, targeting Tor users in particular
• new fingerprinting technique Uses AudioContext and getClientRects. Recommended defense is NoScript.
• panopticlick
• browserleaks
• dns leak test -- Test whether you're leaking DNS information while on your VPN, and fix it

facial recognition

• Fawkes - Change your pictures imperceptibly to foil facial recognition.
• Facial Weaponization Suite - More privacy protest than technical countermeasure. "Collective masks" from aggregated face data of participants in workshops.
• Hyperface Much like Glamouflage, designed to drive up false alarms in facial recognition. Update: available in August. Delayed, with no deadline given
• Reflectacles try to ignore the goofy promo. video :-)
• Privacy Visor - Can be purchased by emailing this address at Nissey Co., Ltd.
• CV Dazzle
  • Russian artists are still trying to use this. Does not work on human cops, who arrest them.
• Glamouflage
• Flashback

chat

• Matrix combines a zillion services into one - Not just more private, but more convenient. IRC, Slack, Signal, SMS, WhatsApp, Mastodon, Twitter, Discord, Tox, iMessage, and many more. Contact me if you'd like to use my instance, which supports many bridges.
• OTR is not a great idea - OTR became well known after a few high-profile uses, but nowadays it's not a great idea. Biggest problem is forward secrecy, especially since quantum computing is not a question of if, but when. I disagree with one of the article's alternatives, Signal, since it's centralized and coerce-able, but some OMEMO implementations are OK (more on that soon).

other tools

• Standard SKS servers for PGP keys are broken, use Hagrid servers instead - A good one to use to keep your keys up to date (see parcimonie, below) is keys.openpgp.org.
• Security freeze for great good -- Prevent not just identity theft, but resale of your data by the Credit Reporting Agencies with a security freeze.
• Keep your PGP keys up to date, privately -- Parcimonie updates your keyring over tor (catching revocations and expirations), at random intervals. It leaves open a connection to tor for a long time, so you may want to run it as a cron job and kill it after some interval.
• anonymize scanned printouts from printers using tracking dots. From TUD, where lots of useful privacy tools have been created (kudos)
• Protecting against baseband firmware backdoors, and provider backdoors-- A little outdated, but still full of good stuff. This is a comprehensive approach; for specific tools see below. EDIT: RIP Copperhead OS.
• Silence SMS/MMS. Recommended -- Mark Zuckerberg says: "many people use Messenger on Android to send and receive SMS texts. Those texts can't be end-to-end encrypted because the SMS protocol is not encrypted." Well, I guess I wouldn't expect much understanding of privacy tech from Mr. Zuckerberg.
• Noise is just like Signal, but without the hard dependency on Google Play Store. It is therefore better! But Silence is better still...
• Get an RSS feed reader to keep up to date on privacy-related sites. For example *cough* subscribe to the PrivacyGroup's feed (It's good to use a secure RSS reader. For mobile there is Courier from The Guardian Project).
• Youtube-dl -- Downloads a variety of streaming formats -- not just for youtube! Can be used with torify (see below) to anonymously view streaming video/audio that otherwise compromises privacy (e.g., flash). Note the version in packages is often not up to date--install the latest with pip to get a version that actually works.
• Torify -- A SOCKS proxy to the Tor network, and a wrapper to use it, so you can e.g. look up GPG keys, or perform WHOIS queries, anonymously.
• Get a GPG key
• installing the latest GPG
• Get a Gnuk token! -- Good way to do encryption in a protected dedicated device. You can buy them, or build them yourself
• secure SSH
  • Using gpg-agent instead of ssh-agent

Other Sites with Tools for Protecting Your Digital Rights

• Blog post on maintaining your privacy at the border.
• you broke the internet, we'll build a gnu one
• EPIC privacy-related tools
• Surveillance Self Defense (EFF)
• Opt out of datasharing by Whatsapp before the deadline! All new users of WhatsApp are automatically sharing much more. FB announced that around now (May 2021) it will share even more personal data than before. Almost any other messenger is a better choice.
• Tactical Technology Collective -- Toolkits and guides for digital security and privacy. Includes guides for Human Rights defenders. Security-in-a-box toolkit has a few inclusions that could be improved, including unhardened Tor, and Firefox rather than Icecat.
• Access Now Defending and extending digital rights of at risk users around the world.

Tools for Making Consent to Privacy Policies More Informed

• PrivacyPal, Automated Privacy Policy Parsing
• RAPPOR for privacy-preserving stats

Why care about privacy?

• Little talk on privacy that David gave to a class here at the University of Arizona
• 5 min recorded presentation David gave to local businesses on why they should care about privacy
• DoNotTrack documentary
• Why privacy matters
• Maciej Ceglowski's excellent talk
• it could happen to you, congress
• MLK Jr. and the history of bulk surveillance of people of color
• a few other reasons to care about privacy

Anonymity

• Talk on Loopix, predecessor to Katzenpost
• Guest lecture David gave on anonymity at The University of Arizona

Giving up privacy

• We must have been wrong about Google and Facebook all along -- On all the privacy-related organizations that accept support from companies whose business model relies on surveillance.
• Americans say they want privacy, but act as if they don't
• The End of Privacy on NPR
• Atlantic article on an Arizona man whose anti-privacy views lead him to share everything, including passwords to email, banks, etc.
• Londoners give up their first born in agreeing to privacy policy
• Ai Weiwei, Privacy, and the future of surveillance
• Article in Science, 'Privacy and Human Behavior in the Information Age' -- By Laura Brandimarte, of U. Arizona (et al)! Reviews of multiple topics in privacy including (esp. relevant to this section) why people who profess to care about privacy nevertheless act as though they don't (the "privacy paradox").

How universities can help

• Don't break Tor and tell the FBI before telling the Tor project
• boingboing on online privacy and libraries
• NSF "Dear Collegue" letter on privacy-related research
• Tor exit nodes list. Note the universities hosting! (MIT, UMich, BU, ...)

Videos

• Edward Snowden talks to Glenn Greenwald about privacy in the age of COVID-19
• Older video of Mike Rogers, then-Chairman of the House Permanent Select Committee on Intelligence, explaining that if you don't know your privacy was violated, it wasn't.
• Soghoian (erstwhile technologist at the ACLU) on the privacy implications of endpoint hacking
• Social media information given at the border accessible via very insecure PSN -- Video from latest CCC shows the terrible security of airline travel information. In the QA (but the whole video is very interesting) it is said that social media information gathered at the border for travellers to the US on visitor visas is linked to PSNs, which are horribly insecure. UPDATE (16 Jan.) -- A big breach at Amadeus.
• A series of privacy talks recently ended at The University of Arizona. UPDATE: you may need to download the files and play them locally, if your browser complains about playing them. Cached copies of
  • Privacy and Health (comments here),
  • Privacy and the Media ( comments here), and
  • Privacy and Commercial Data Collection (comments here).
• Snowden talked in a startpage.com-hosted interview in the Netherlands about privacy after the election of Trump in the U.S.; his pardon Mirrored here locally, so you can jump around the video (originally live-broadcast)
• Edward Snowden came to the UA to talk privacy with Glen Greenwald and Noam Chomsky. I mirrored the video, originally available only via flash. This is audio only.
• Edward Snowden discusses removing mounted microphones and cameras from cellphones, excesses of U.S. intelligence

Miscellaneous

• Especially since the pandemic started, there has been an increase in workplace surveillance. Don't buy gewgaws if you don't have to! - This is goofy; I regret nothing.
• Two Arizonan lawyers' role in the history of spam
• A thorough, well-executed study of web tracking (updated monthly?). Worth a look.
• Electronic Frontier Foundation's list of printers that produce tracking dots
• ProtectionOfHumanSubjects
• Privacy Bibliography
• A review of the off-Broadway play 'Privacy', with Daniel Radcliffe
• Several years on, Edward Snowden takes stock in an interview with Der Spiegel

Privacy theme music!

• Brian Eno sonically renders the dataset on the use of tools by NSO Group
• MF DOOM, the subtle and obscure, has died - From Metaphorical Villainy: "'Villain' represents that anybody can wear the mask---could be male, female, any race/so-called race ... it's about where you're coming from, from your heart. What is your message; what have you got to say? That's mainly why I chose to bring the mask into the fold." (a stranger, who speaks to you in vocals)
• aNONradio - Lots of variety, brought to you by Super Dimension Fortress.
• Wireless fantasy - Ussachevsky
• Headhunter - Front 242 - (Not egghunter) (thanks for reporting DMCA takedown of the other one)
• More Data - Negativland - Negativland!
• Inspection (Check One) Calling the meek and the humble. Inspection!
• Mejores Dias (Better Days) Stego used to encourage hostages of FARC. "Escucha este mensaje, hermano." Followed by "19 people rescued. You are next. Cheer up" in Morse code (1:29 - 1:52)
• A recent edition of Under Surveillance! Great radio show - Now as a single mp3.NEW (12 April 2024, starts at 4:49) Older shows are here. Script is available too if you want to get it for yourself.
• Octopus's Garden (Raffi version)
• Somebody's Watching me (Rockwell)
• 3:7:8 (Emergency Broadcast Network, or EBN)