If you have nothing to hide, you have nothing to fear [1]
I’ve heard this phrase more times than I care to count, although it’s becoming increasingly rare that I hear people use this phrase. I wrote about this, and why privacy matters in the past. That post primarily spoke about online privacy, and not so much about the privacy we have on the devices we use. Speaking here of our computer, our phones, our tablets, and IOT devices we have in our homes and workplaces.
A Story of Siri
Recently, I had a meeting with a coworker, and during the meeting (like in many meetings I have with him), Siri spoke up. What did it say? “I’m sorry, I didn’t quite catch that” (or something to that effect). It was picking up on his voice, during a meeting, and thinking that it was him wanting assistance.
In Apple’s privacy policy regarding Siri [2], Apple tells us that Siri isn’t used for marketing purposes, but it is tied to an identifier for your specific device. While this has a limit of 6 months, there’s not much about actually getting rid of the recordings entirely. Furthermore, it says less than 0.2% are reviewed by a real person. So, if you give 500 commands (either intentional or unintentional), 1 of your recordings is being reviewed by a real person.
At the very least, during setup (and yes, it’s encouraged), Siri is always listening unless you configure it.
A Story of Google
Google Assistant isn’t really all that different. Reading their support article [3], under the “Unintentionally collect my voice data” section, we’re notified that - yes, you can delete the recording. But notice the wording. It says:
If that happens, just say “Hey Google, that wasn’t for you,” and the Assistant will delete the last thing it sent to Google.
Does this mean that it’s deleted just from the device, or from google servers? How often are backups happening? Did your recording hit a backup windows, and already shipped off to another system internally for processing? When we mean “delete”, what do we really mean? Software developers, when they “delete” a record, aren’t deleting it - they simply disassociate it from the system (either by bit, or remove the link to a person, etc). In other words, is this truly deleted?
A Story of Windows
I recently got a handheld computer system, and wanted it for some games on steam. Because of that, I decided to keep the default Windows install on there. The default version for many consumer devices is Windows Home.
During the setup, I was met with a very infuriating screen. It asked to connect to wifi, which I figured “sure, why not” - until I got to the next screen. The next screen prompted me for a Microsoft account. Furthermore, it didn’t give me any option to create a local account. I’ve setup Windows in the past, and it must be a Home edition issue. I did some research, and found I can work around this by turning off WIFI and going through the initial setup. Furthermore, stuff like Cortana and the like are all available and loaded by default.
Another interesting thing about Windows is it promotes, heavily, their OneDrive platform as well.
So far Microsoft has been better than many regarding the canceling of people’s accounts. But, we’re seeing a wave of sorts that concerns me greatly. The closing of people’s accounts through various sites. How long til Microsoft does something similar? Hard to say. We’ve already seen places like Visa banning people [4]. But even without projecting what could happen, one look at the privacy policy [5] explains a lot.
A common phrase I hear people using is “They’re a private company, they can do what they want” (which you’ll hear online a lot). Why give them information they don’t need, incase they decide to reject service in the future?
A Story of Linux and Mac
Many may consider Linux to be a private operating system. But, that’s not necessarily true [6]. Luckily, Linux is a mish-mash of lots of software/technologies that allow you to piece together what you want in an OS. But, when people say that Linux is a private operating system, that’s not entirely true.
The same is true with OSX. Apple started introducing ads, they can also track what you buy through the store. Siri is also tied in with some of the search capabilities, and is also promoted much like Cortana is in Windows. Luckily, Apple Pay has fairly strict privacy protections [7]
Balance Between Privacy and Convenience
You may be asking yourself, “Why does this all matter? What am I supposed to do about it?”, and these are incredibly valid questions and concerns. There’s a balance between privacy and convenience that should be taken in consideration. Unfortunately, this question can only be answered by you and no one else. But, I can give my personal preference of how I deal with it.
I take a hybrid model, and a mixture of giving up some privacy for convenience. But, I am careful about how I approach this. I refuse to use Cortana, Siri, Alexa, or any other voice activated program in any way, shape, or form. Furthermore, my primary operating system of use is Linux, but is not Ubuntu. I also have different devices with different “trust levels”. My cell phone I assume is not private at all, and assumed as public. I store very little on my phone. I use an iPad. That, I consider more private in general. I greatly restrict what’s installed on it, the use of it, and so on. But it’s more trusted than my phone. Then, there’s computers. Linux systems have near ultimate trust in my view. Those I highly customize, and lock down heavily. Next trusted is anything OSX related. Then, last, anything Windows like.
As systems become less and less trusted, the scope of what they have access to, and their general use, is restricted further and further. Meaning, anything I don’t trust (like Windows), I’ll use as a test setup for software or specific purposes and move that back closer to Linux if it’s more important for my daily use. But, that said, every operating system I use I lock down as far as I can. I turn off any and all advertisement-related features, install security software (I use far more than Windows Defender), turn off Siri, disable any web search from stuff like Spotlight and Windows search, etc.
I also rarely use cloud services for file storage. I assume they’re entirely open systems, and every file is public and primarily use it as a way to get information to people.
I also don’t use a Microsoft account, or anything like that. I also try to create logins for each site with a different user/password and different security questions/answers (most often made up). This is more security related, but also given that authentication hits their SSO (Single Sign On), it’s still an issue from a privacy standpoint. I generally use KeepassXC for most of tracking of this information.
I also lock down my browsers. I use Brave [8] fairly often, as well. But, I also lock this down fairly heavily too. I disable their crypto-based stuff (their form of advertisements), and turn off most features for websites (Widevine, Twitter, Facebook, Google Hangouts, etc., etc.). I also lock this down even further using Firejail or a dedicated VM with very limited access to internal machines.
Finding Your Balance
Finding your balance between privacy and convenience is something only you can answer. But, I do believe it’s an important thing to ask yourself and answer for yourself. It can make things more limiting, but it’s also a matter of pride that you. The EFF [9] put out a nice guide that is worth reading. In my opinion, some of the best ways to take back your privacy:
- Get off Google. This includes Gmail, using it for web searching, etc. There are many, many alternatives out there. Yes, this is hard and still something I’m working toward. Furthermore, also consider aliases for your email. Keep stuff like purchases in a separate email than your main.
- Get off social media. This includes, especially, Twitter and Facebook. Not only is it a privacy nightmare, but they’re truly awful places to hang out in - both from a company standpoint, and people’s posts. Telegram and Signal are a lot better.
- Move to a better browser. Read the privacy policy for the browser(s) you use, and what they back and don’t. Ask yourself about their funding model. You’re getting this browser for free, how are they paying for it? Is it with your data?
- Scale back Windows. For most people, moving to Linux, may feel too daunting to even recommend. Instead, look into the some privacy guides [10]. Ideally, for your main machine, moving to Linux would be a good long term goal if you have the technical chops to handle the move.
- Wipe browser cookies periodically, turn off tracking. This is part of #3 above, but aim to wipe cookies every so often, and have strict tracking and ad removal. Cookies can be used to track you across the web, and while convenient (so you don’t have to log back in again). An alternative, and the one I use, is that I have a general browser (brave), and a specialized browser (chromium). Both are locked down, but Brave only, is the one that’s cleared. I use chromium for sites that I don’t want to relog back in again (primarily local services, it’s the only browser that I allow the “saving” of passwords). Also, consider using incognito mode far more often.
References
- 1: https://en.wikipedia.org/wiki/Nothing_to_hide_argument
- 2: https://www.apple.com/newsroom/2019/08/improving-siris-privacy-protections/
- 3: https://support.google.com/googlenest/answer/7072285
- 4: https://news.ycombinator.com/item?id=23671933
- 5: https://privacy.microsoft.com/en-us/privacystatement
- 6: https://itsfoss.com/canonical-targets-website-crictical-ubuntu-privacy/
- 7: https://support.apple.com/en-us/HT203027
- 8: https://brave.com/
- 9: https://ssd.eff.org/
- 10: https://www.computerworld.com/article/3025709/how-to-protect-your-privacy-in-windows-10.html