Sorry, I'll
try to keep this under a small novel... and will probably fail.
Before you can launch into reasoning about this topic, you need to be able to answer several questions.
* What am I trying to protect myself against?
* How much effort do I expect attackers to use against me?
* How much inconvenience am I willing to tolerate for these goals?
* How much am I willing to inconvenience
other people in these goals?
And from then, you can start learning about the threat landscape if you care. But a decent heuristic is "It's worse than you think it is in terms of data mining and behavioral surplus extraction," and "Nobody cares about you
in particular." If they do, you're probably hosed. If a national agency is after
you in particular, you're hosed, and I'm not in the slightest bit qualified to offer you advice on the matter.
Warning: My increasingly strong bias against consumer tech is going to show here. I
do not like what computers have been used for by our "tech overlords," and I'm increasingly willing to compromise functionality to give them less to work with on me, and to support that which allows me to get out of their grasps.
Also, I think modern computers are very, very broken, from the hardware on up. So some of this is going to come from that perspective as well.
You can find some longer form ponderings related to this on my blog:
https://www.sevarg.net/2022/05/07/tech-philosophy-2022/https://www.sevarg.net/2022/05/21/technology-and-diminishing-returns/So, to give some answers to the questions, at least from my context:
What am I trying to protect myself against?First and foremost, I care very deeply that my computers only do that which I expect them to do, and that they serve
me. Not other people's ideas of what data they ought to be able to extract from my local use of computers, and particularly not the desires of those who wish to hold my data hostage or extract my credentials. I reject the framing of myself as a "consumer" and "set of eyeballs to be monetized," so I'm trying to foil as much data collection as possible. However, neither do I care strongly about keeping myself "fully anonymous" in my normal accounts - I'm not a hard one to find, based on my general writings, and "writing style analysis" is reasonably advanced (plus I tend long form).
However, I also care about demonstrating that "something different from the default" can work, so I'm a bit inclined to use "flashy" techniques at times, especially around cell phones, to open conversations with people about what can be done. I could be perfectly happy with a defanged black mirror type device, but at this point, I keep carrying a flip phone because it does what I need and I rather enjoy the reactions it gets, largely along the lines of "I had no idea those still existed!"
How much effort do I expect attackers to use against me?I expect I'm subject the usual hostility all users of the internet face, but probably not exceptionally more. If I believed myself likely subject to more directed efforts against
me in particular, I'd do some things differently.
How much inconvenience am I willing to tolerate for these goals?Quite exceptional. I've written kernel patches for some of my computers, and I joke that I'm not sure I'd know what to do with a computer that was fully working. My hobby of using little ARM computers means that I'm often not capable of actually playing videos with sound, because the machines with sound don't have a working video player, and the machines that can play video don't have a working sound output connected to anything. This is fine with me. I don't mind the lack of GPU acceleration that certain options require. Etc.
How much am I willing to inconvenience other people in these goals?However, I try to avoid inconveniencing other people too terribly much. I experimented with one phone that was fine, except for group texting - it simply couldn't do it. That's annoying enough to other people that I wasn't willing to use it long term. However, I don't care if I'm not accessible on short notice on most messaging platforms. I merge those I'm wiling to use into a common interface with Matrix bridges, and I don't care about the rest.
That said:
What options do we have in 2022 to protect our privacy when using a computer or a smartphone?
"Don't use them" is the best one. "Use them as little as possible, with as little capability as possible" is the next best approach.
I've expanded on it substantially in the blog posts I linked above, but at this point, I don't think there's a "safe/private" way to use most mainline OSes. Microsoft has demonstrated in a variety of ways that Windows 11 is solving the "problems" with Windows 10 of not being able to extract enough good data about behavior, and not being able to deliver integrated-enough ads to the OS. Apple had been sane, but seems to have burned all their privacy capital in a glorious bonfire of on-device content scanning (that they've yet to push out - so they, in my view, burned all their good will, and haven't accomplished anything either - it's a bit weird to watch). Android is simply a location and behavioral data extraction platform for Google that happens to run apps (if you don't believe this, go check your timeline at
https://www.google.com/maps/timeline ).
I'm pure Linux for almost all my activities now, though I do have some legacy Windows 10 installs and a Mac I use as I've had a lot of my data in Mac-only formats for long enough that it's worth keeping at least something around that can read them. Although I'm considering just moving it to a VM and being done with it. For phones, I consider a defanged Android device sane (Lineage/Graphene/etc), a pure Linux phone fine but unusable (PinePhone and the like), and my daily carry device is a KaiOS device. Apple might be OK for now, but I simply don't wish to give them any more money.
The main threat on a desktop is the browser, and both tracking user behavior and delivering malware - 0days in ad networks are more common than one would prefer. Using various ad blockers removes a lot of threats. PiHole as a network level DNS blocker solves a lot, although DNS over HTTPS is a bit of a thorn there (browsers just going around your local DNS configuration - it helps against some threat models like a compromised router, hurts in others like local network ad blocking). NoScript helps a ton, if you're willing to discover how many websites are simply broken without extensive Javascript, but on the flip side, it reduces the weight of most websites in terms of RAM/CPU quite a bit - which is helpful if you're on little ARM boxes without enough RAM. Obviously, don't download random crap.
There's something to be said on desktops for some aggressive sandboxing between "high security personal activity" (email, core SSH keys, etc) and "random web activity." QubesOS offers a lot here, at the cost of no GPU acceleration of anything and a somewhat stiff learning curve. I like it. It's wonderfully paranoid in all the ways I like.
For a phone, Apps are Evil. No, really. Whatever of interest you think they're collecting, they're collecting 10x more, and hoping someone can find some magic to make it useful. There are some great papers looking at things like "How you can use general locational data combined with timestamped accelerometer data to disambiguate who's sharing a vehicle with other people," and "Using accelerometers and such as microphones when you aren't granted microphone permission." In additional to all the stuff we know is going on with Bluetooth and Wifi beacons being used to track people through stores and such at high precision, probably tied to your checkout behavior. Not my idea of a great time.
Apple tends to be reasonably secure if you're running the latest OS in terms of 0day resistance, Android tends terrible given their update model. One option for a black mirror device is to just have as little as possible on it. Instead of having "all your accounts" on it, have as few as you can reasonably have, and strive to reduce that over time. You just don't need email on a phone. It's high latency and can stay that way. Consider how little you really need and go that route.
However, given the evils of behavioral collection on a modern smartphone, as has been demonstrated by some people later in this thread, the best option now is to get out of the habit of carrying one. Or, at least, out of the habit of always carrying a powered on one. You can solve many problems by powering it off or leaving it at home, and I know very well a lot of people on this forum are old enough to remember when "carrying a cell phone in your pocket" became a thing.
I've been trying to revert to a late 90s or early 2000s way of interfacing with tech, and it's been quite nice.
I use Linux at work and home. I have an Android phone. I tend to compartmentalize private and professional activities by browser and email addresses. I use EFF browser plugins and uBlock Origin.
Having different browsers helps a lot, though I would encourage having separate VMs for personal and professional activities. If you can deal with the limitations, Qubes lets you do this very cleanly...
I'm trying to move to a model in which all my regular activities are in Qubes, with some "raw iron" Linux installs for stuff like gaming, but on installs that don't get access to email or such. I need to pave over a few things here.
I occasionally scan my phone with Malware Bytes and have never found much. On Linux I'm looking for something to occasionally run manual scans with. I've never had any security issues that I am aware of and I've been using Linux since the late 1990s.
I have no idea what "scanning phones" accomplishes other than making you feel good about a progress bar. Any decent malware author is going to ensure that nothing detects their malware with the usual tools... and the stuff that tends to show up on Android has gotten clever about waiting for a while before deploying.
My employer maintains my Win10 laptop and keeps it locked down pretty tight. I rarely use it except for CAD. At home we have a Win10 desktop mainly used for gaming. I scan it with Malware Bytes and have rarely seen any issues except a Minecraft plugin that caused problems. That computer dual boots Linux and everything sensitive it has ever done (banking or taxes) was done on the Linux side.
The "culture" around Minecraft plugins is horrifying. "Download this thing and install it" from some insanely sketchy file hosting sites - of the variety that, in the past, have been found injecting their own bonus content in downloads. But that's a sane approach. Another would be to get a Chromebook for secure work, and abandon the desktop for banking/taxes/etc. Though I'm not sure you actually gain much there from what you're doing.
What is the most privacy oriented smartphone right now?
The best I'm aware of, once you get past "privacy oriented smartphone" being an oxymoron with how vile apps are about data collection, would be one of the third party OSes on an Android devices. Though if there's any way to not use a smartphone, that's far better, IMO.
EDITed to add - and maybe buy a burner phone before you need it.
What threats are you protecting against with it? To actually keep a "burner" phone from being associated with your other devices by locational proximity is exceedingly hard, if you're worried about higher level actors associating it with you. Used carelessly, it's pointless security theater. I generally assume the popularity of "burner" devices in various TV shows/movies is a bit of a bait to make people think they're gaining security with them, when it's trivial for law enforcement to associate them properly.
I don't think there exists a reasonable way to "privately" use a smartphone, and if I wanted to do something very high security, I wouldn't use a burner phone. I'd use a laptop, tethered, with a range of other tricks.
I've deleted my period tracker app and have gone back to paper calendar tracking.
Good! The state of "health apps" is abysmal, and when people go poking at them, they "share data" with a huge number of "partners." You can safely assume that a period tracker app exists to feed as much data about your private medical state to advertisers, who now know
for sure that you're a woman within a certain age range, and a wide range of actors can use the time of the month in your cycle to fine tune how they deliver advertisements or social media feeds for "engagement." I assume that variations in timing can be tied to other things of interest to advertisers/marketers/influencing agencies/etc. And I'd assume that app feeds up more than you think it does.
Paper calendars at home are great. You don't have to worry about them exporting data to advertisers. We've gone back to a paper calendar for family events as well.
I'll start turning off my phone before leaving my house for all doctor visits. I look forward to suggestions on tech options.
Careful. If the only time you turn your phone off is for some particular event, that's useful information. If you
never turn your phone off, and you turn it off and leave it at home for one particular thing, this can be used to demonstrate that you're doing something interesting. It's better to cultivate a "forgetful 80 year old's" phone habits. Turn it off randomly. Leave it at home randomly. Turn it off and take it with you, and turn it on only if you need it. Voicemail works fine, text messages eventually get around. But if you cultivate a "forgetful" phone habit, then it's not "weird" when you leave it behind.
Don't forget that your car, if it's got a cell modem, is
also leaking your location data. If your car has a cell connection that always matches your personal phone's location, and all of a sudden it doesn't, huh. That's
interesting... You might remove the cell modem from your car if you're particularly concerned about location data. Then it's just the license plate cameras and such, which is far better than the fine grained data other available.
But these are only good for computers - anything that uses apps (phones, ipads, etc) are trickier.
Hence my advice to use them as little as possible. Location off is a good idea, as little permissions as possible is a good idea, but even just the stuff the apps get by default (gyro, accelerometer, etc) is enough to be worrying.
And also whether or not a VPN is actually worth it - I've been debating that for a while.
What threats are you concerned about that a VPN would solve? If you're worried about the "first hop" for public use locations - coffee shops, airport wifi, etc, then, absolutely, a VPN will help. But I'm honestly not that worried about those places, because https is now just about everywhere, and a browser with an existing trust set for sites isn't going to be easily redirected away from https. HSTS and cert pinning and such gain you a
lot on that front.
And if you want to run a VPN endpoint, Outline makes it easy to run your
own VPN endpoint on various cloud providers. I use it if I'm going to be on travel, just to deal with the first hop thing.
What a VPN, and
especially the heavily marketed ones won't do is the stuff that they claim to do. All they do is move your browsing activity from your home IP to another IP, and if you're not careful, it's trivial to link things together - "Oh, hey, you access the ad network from this IP, and also from a FnordVPN IP, OK, you're a FnordVPN user which probably means I can market
security things to you!" It neither adds meaningful security or privacy unless done carefully. What it
does seem to do is add massive affiliate marketing profits to various video producers.
They're cheap, many solid ones (private, no logs, not in one of the five-eye or fourteen-eye countries), and most have servers around the world so you can connect to different POPs as needed.
The more a VPN provider goes on about how bulletproof and secure and log-free and such they are, the less I believe them. Quite a few "Totally Secure Hide Your Activity Online VPN Extreme" type services have been
literal government honeypots over the years - along with some disturbing number of the "secure phones" one can buy. If you've never heard of it, it's probably safe to assume it's a honeypot. It's a pessimistic viewpoint, but if I'm going to be doing something sensitive online, I'm not going to trust some random no-name company who tries to have all the security buzzwords on their site (that's probably not even using https).
Again, if my goal is to protect my first hop, I can (and do) host infrastructure to protect that. Anything else they claim to do other than move my IP around can be assumed to be either an outright lie or at least deceptive. It's a pessimistic point of view, but neither have I been convinced it's wrong.
If I really would rather be non-attributed, a Whonix VM setup (easy to launch in Qubes, and one of the default templates!) is far better.
I know iphones can leak Bluetooth location data even when "off"- this may be limited to iphone, but most things in ios make their way over to android eventually. The only way to defeat this edge case would be Faraday bags or actually leaving he phone at home. Of course, a turned off iPhone will make it a lot harder for ADVERTISERS to track- just it isn't foolproof anymore.
I believe you can turn the AirTag/Location Network stuff off when the phone is shut down.
... I hate to brag on my KaiOS device, but I just pull the battery out if I want to make a point. It's an old habit, but for sensitive conversations, I'll set the phone on the table, battery visibly removed.
====
Sorry. 3000 words of pessimism. My biases are well known.
