It’s getting worse out there by the day. Wars and rumors of wars. A global banking crisis. The threat of out-of-control money printing. Increasing surveillance of ordinary users by governments, companies, and even activists and so-called journalists. Central bank digital currencies are coming online and promising to put technocrats in charge of our spending on a per-transaction basis.
Even more concerning is that incumbent powers and their enablers in the media and academy treat every new crisis and development in every ongoing crisis, as a justification for ratcheting down more tightly on our speech and our finances.
For everyone paying attention, the lesson of Operation Chokepoint and Chokepoint 2.0, the online poker crackdown of 2011, the Canadian trucker protest, and the post-Jan 6th eviction of large swaths of the American right from the internet, is crystal clear: it doesn’t matter if what you’ve been up to is legal or even constitutionally protected, you can still get deplatformed and unbanked if the powers that be decide your activities are a problem.
So if you’re a member of any politically disfavored community, now is the time to limit your exposure to worsening crackdowns. Start reducing your online footprint and exposure immediately because the time to go dark is before the Eye of Sauron turns on you. Because once it spots you, it’s already too late.
This post is the first in a series aimed at helping you find an exit from a system that hates you and wants to either remake you in its image or eject you with extreme prejudice.
There is no app for digital sovereignty
Many of us who are into freedom and privacy are getting worried emails and DMs from like-minded friends and family who are watching their feeds and coming to the conclusion that they immediately need to get off Google and Facebook, use a VPN, and set up 2FA on all their accounts. So they ask us for product and service recommendations.
Our response to these requests is always the same: The steps you’re considering are a solid start, but privacy and security are not products you can buy; there is no app for digital sovereignty.
Digital sovereignty is more of a mindset and a movement, and it has the following tenets:
Own your data, money, and online identities.
Communicate privately, securely, and, if desired, pseudonymously.
Choose who gets to know what about you and your activities, and on what terms.
Break the one-way mirror and watch web2 as it watches you.
Know your enemies — who’s trying to track you and to what end.
Prefer decentralization over centralization.
There’s nothing suspicious about any of the above — in fact, this is actually the way digital technology should work by default.
Fight censorship and cancellation for yourself and others.
Give back by hosting relays and nodes, and by contributing money and code to projects and companies that promote digital sovereignty.
Websites and sensors spy on us
Whether we know it or not — or have explicitly agreed to it — we throw off a steady stream of data to servers far and wide as we shop, travel, learn, entertain ourselves, and generally live our lives online and in the physical world. Many companies and organizations openly collect user data from sign-up forms, text fields, and video and audio feeds, while others silently collect user behavior data as a byproduct of digital activity.
Virtually everything we do on our phones is tracked and quantified. The average cell phone packs an impressive array of sensors and transceivers that all generate information, allowing operating systems and apps to tap into this data flow and send information back to remote servers:
Location data calculated from GPS, cell tower, Bluetooth, and Wi-Fi pings
Minute motion and orientation data generated by accelerometers, gyroscopes, and magnetometers
Environmental data from proximity, pressure, and ambient light sensors
Audio and video recorded by microphones and cameras
Biometric data captured by fingerprint readers and infrared cameras
If you add a smartwatch to the mix, that’s even more data you may be sending to various providers.
Beyond the sensors in our smartphones and watches, many apps, operating systems, and webpages collect behavioral data, keeping tabs on user activity. Even Apple, for all its claims to respect user privacy, collects detailed behavioral information from many of its own apps. The App Store relays ongoing information to the company about user behavior in real-time, including tapped elements, search queries, ads shown, and apps viewed, all with attached timestamps. Apple then uses this information to target ads at its users.
Even when you aren’t directly using the apps, devices, and services developed by the companies that regularly collect behavioral data, these companies can often still get their hands on your data. Companies including Google, Meta, Microsoft, and ByteDance have user identification and tracking tools embedded across the Web.
According to statistics from BuiltWith, Google is the number one provider of tracking and analytics technologies for the top one million websites. Google Analytics, which collects behavioral data, and Global Site Tag, which tracks ad click-through rates, are present on 49.96% and 36.32% of these websites, respectively.
Meta’s behavioral data collection tool, the Facebook Pixel, and ad click-through tracker, Facebook Conversation Tracking, can also be found widely across the Web, hiding in the background of 15.91% and 11.39% of the top one million websites, respectively.
They can still track you even if you don’t have a Facebook account. A study by The Markup and Mozilla found that 80% of users encountered Meta’s Pixel in their regular browsing habits.
While Google and Facebook’s trackers are the most common, they don’t account for most of the trackers found on the top one million sites. BuiltWith lists over 400 additional analytics and tracking tools that together make up the lion’s share of Web trackers.
These tracking scripts quietly work in the background of webpages to collect behavioral data and tie that data to individually identified users through a combination of fundamental indicators, such as IP addresses and device information, and advanced fingerprinting techniques.
Many of the same companies that offer Web trackers also distribute similar tools in the form of Software Development Kits (SDKs) that developers put into their mobile apps. Just like Web trackers, tracking SDKs are difficult to avoid. SDK usage data presented by MightySignal show that over 60% of the top 200 Android and iOS apps contain Google SDKs, with Facebook SDKs not too far behind.
In this series: We’ll cover a variety of tools and techniques that let you track the trackers. We’ll also introduce you to alternative services, both self-hosted and third-party, that preserve your privacy.
You’ll learn how to detect and manage outbound connections with firewall software like OpenSnitch.
We’ll look at privacy-focused desktop and mobile operating systems that don’t harvest user data.
We’ll introduce readers to privacy-respecting services, as well as Nitter and other frontends that enable users to access popular websites without being tracked.
We’ll highlight tracker identification tools such as Exodus Privacy.
You’re the product
You may have heard the adage, "if you aren't the customer, you're the product," yet, so often, you're the product regardless of whether you're the customer.
By now, the collection and sale of user data is thoroughly established as a viable business model. For some companies, this method of generating revenue is a way to offer users “free” services, though they very rarely, if ever, offer users the option to pay a fee in place of data collection. Other companies, such as internet service providers (ISPs), charge users fees and sell their data.
The companies initially collecting user data sell it to data brokers, such as the big three U.S. credit reporting companies Equifax, Experian, and TransUnion. Data brokers make it their business to buy, analyze, and sell as much user data as possible. Market analysis by Maximize Market Research valued the data broker market at $257 billion in 2021 and projected that data broker revenue will grow to $365 billion by 2029.
However, many websites and apps facilitating user data collection are entirely disconnected from the data broker industry. The Web scripts and SDKs discussed in the previous section provide legitimately useful tools at no cost to developers.
What many Web and app developers who use these “free” tools don’t realize or think about is the fact that these tools, such as Google Firebase, provide user data to the companies that make them. Thus, countless websites and apps end up turning their customers into products for companies selling user info to data brokers.
For example, in 2022, The Markup found that the websites of thirty-three of Newsweek’s top 100 hospitals in America contain Meta’s tracking pixel. Yet, healthcare providers aren’t always aware that this script sends user data back to Facebook. When Advocate Aurora Health found out that Meta can sometimes access extensive user information thanks to its tracking pixel, the healthcare provider went so far as to issue a data breach notice warning patients that Meta may have accessed the following information without their knowledge:
First and last names
Medical record numbers
Dates, times, and locations of scheduled appointments
Patients’ proximity to an AAH location
Information about patient’s providers
Types of appointments and procedures
Communications between patients and others
Many government websites are also riddled with third-party tracking cookies. Researchers at the IMDEA Networks Institute found that some U.S. government websites contain as many as thirteen third-party trackers. The situation is similar on most websites with any sizable amount of traffic.
The European Union's General Data Protection Regulation (GDPR) and ePrivacy Directive force many websites to display cookie consent banners to new visitors, but these banners tend to mislead or annoy users without actually educating users about what it is to which they're "agreeing."
via the IMDEA Networks Institute
Even when Web developers don’t embed third-party scripts in their websites, some companies try to embed them scripts there anyway. In August 2022, researcher Felix Krause determined that Meta was leveraging the in-app browser feature to inject scripts into websites users visited inside the company’s apps. A week later, the researcher discovered that TikTok went even further by injecting code that detected every tap and key input on web pages viewed within its app. Additionally, unlike Meta’s apps, TikTok’s app didn’t allow users to open webpages outside the app in users’ default browser.
In this series: We’ll discuss services and applications that block trackers and hide your activity.
You’ll learn to use VPNs such as Mullvad and IVPN to mask your IP address and hide your network traffic from ISPs.
We’ll cover how to use tracker blockers like uBlock Origin and browsers with built-in tracking protections, such as Brave and LibreWolf.
We’ll demonstrate how to use the Tor browser and the Whonix operating system, which resist fingerprinting and leverage Onion routing to anonymize online activity.
We’ll walk through how to remove your information from the internet and opt-out of data collection and sharing where possible.
The one-way mirror
In the world of Web2, most of the software, services, and devices we interact with have conditioned us to become comfortable with one-way-mirror relationships, where we entrust our data to servers we don’t control owned by people we can’t see and have no reason to trust. Once your data is on someone’s server, whether given voluntarily or not, you don’t know who else can access it.
Many companies aspire to have strong and clearly delineated data access controls, but the reality is that their size, the nature of their business, and the desire for convenience work against this aspiration, resulting in the sloppy handling of user data. In 2022, Motherboard surfaced an internal Facebook document in which the platform’s privacy engineers spoke frankly about their inability to isolate and control the flow of user data:
If we can’t enumerate all the data we have – where it is; where it goes; how it’s used – then how can we make commitments about it to the outside world? We fundamentally lack closed-form properties in Facebook systems ... We’ve built systems with open borders. The result of these open systems and open culture is well described with an analogy: Imagine you hold a bottle of ink in your hand. This bottle of ink is a mixture of all kinds of user data ... You pour that ink into a lake of water (our open data systems; our open culture) … and it flows … everywhere. How do you put that ink back in the bottle? How do you organize it again, such that it only flows to the allowed places in the lake?
Unsurprisingly, companies like Meta, built on collecting and sharing user data with many partners, cannot know and limit who has access to your data. Sloppy handling also extends into cybersecurity, as many companies have atrocious data security practices. Brian Krebs has documented two glaring security flaws in Experian’s website, both discovered in 2022. In one case, anyone could go through the account creation process for people who already have accounts and re-create these accounts, giving threat actors unauthorized control over victims’ accounts and access to their complete credit reports. In the other case, anyone could bypass part of the identity verification process and view victims’ credit reports by simply changing the last part of the URL.
That said, even good security practices and controls aren’t bulletproof. Human beings will always be a weak point in any security scheme. In a moment of inattentiveness, it takes only one member of an organization to fall for a phishing attack and grant threat actors access to the organization’s systems, resulting in a data breach.
Over a month in early 2022, seven 16-to-21-year-olds operating under the name LAPSUS$ breached the networks of Microsoft, Nvidia, Samsung, T-Mobile, and others, stealing over a terabyte of source code. These amateur hackers used publicly available hacking tools and basic social engineering techniques to conduct their short-lived cybercrime spree. Their flashy attacks and poor operational security (OPSEC) were their downfall, quickly drawing the attention of law enforcement, who easily discovered their identities and locations and arrested them.
This episode shows it doesn’t take super-advanced threat actors to steal data from even some of the biggest names in the tech industry. And while these particular incidents made international news, far more data breaches happen daily without much attention. In the U.S. healthcare sector alone, more breaches were reported to the government in 2022 than days in the year. With a total of 614 healthcare-related data breaches, more than 49 million Americans’ personal information was lost or stolen in a single year.
In the realm of cyberattacks, the particular threat posed by the Chinese Communist Party (CCP) is worth highlighting. Beyond TikTok’s siphoning of Americans’ data by any means possible, the CCP actively sponsors hacking groups to infiltrate foreign networks and conduct extensive cyber espionage and intellectual property theft.
In 2020, FBI Director Christopher Wray told the House Homeland Security Committee t“[t]he FBI is opening a new China-related counterintelligence case approximately every 10 hours.” Likewise, William Evenina, former Director of the National Counterintelligence and Security Center (NCSC), in a statement before the Senate Select Committee on Intelligence, said, “[i]t is estimated that 80% of American adults have had all of their personal data stolen by the CCP, and the other 20 percent most of their personal data.” To understand how this shocking state of affairs is possible, we can look to Evenina’s comments on the CCP’s breach of Equifax in May of 2017:
As former head of U.S. Intelligence, I consider this to be one of the CCP’s greatest intelligence collection successes. More than 145 million Americans had all their financial data, nicely aggregated, to the CCP along with Equifax’s trade secrets on how they acquired such data. That is every American adult.
Further, the CCP is worth highlighting here not only because it poses a significant threat but also because the CCP is instructive as a real-world model of an authoritarian police state engaged in active surveillance and censorship both within and without its borders. While Western governments do not presently engage in the same degree of surveillance and control over their citizens as the CCP, they leverage many similar tools.
Section 702 of the Foreign Intelligence Surveillance Act (FISA) authorizes the U.S. government to collect and store the phone calls, text messages, emails, and other electronic communications of not only foreigners but also American citizens. In 2021, the FBI conducted “fewer than” nearly 3.4 million warrantless searches of this database.
The FBI can also force companies to hand over customer data and stay quiet about it by issuing National Security Letters (NSLs), which require no judicial review. In 2013, an Intelligence Review Group reported that “the FBI currently issues an average of nearly 60 NSLs per day.”
The U.S. government’s ability to access Americans’ and foreigners’ information extends beyond these specifically sanctioned tools. Government contractors, like Zignal Labs and Anomaly Six, buy user data and provide it to government agencies in useable formats. In 2022, Anomaly Six boasted in a leaked presentation that it can track the location of roughly 3 billion devices in real time and identify the owners of these devices using data purchased from thousands of mobile apps. The presenter stated frankly that “[e]verything is agreed to and sent by the user, even though they probably don’t read the 60 pages in the [end user license agreement].”
In this series: We’ll dive deeper into the threats posed by various actors and recommend ways to mitigate these threats and take back control over your data.
You’ll learn how to host your own services with solutions like YunoHost and Nextcloud.
We’ll highlight important security measures, including password managers.
We’ll cover how to use open-source router firmware to protect your home network with a custom firewall and VPN settings.
We’ll discuss ways to conceal private information, such as using virtual bank cards, proxy email services, and end-to-end encrypted email, chat, and storage services.
User data is valuable because, in the aggregate, it forms a window through which others can peer into our lives. It may be difficult to see why we should care whether Google records individual search queries we enter into the company's search engine. However, distinct data points examined paint fairly detailed pictures of who we are, our loves, interests, hobbies, secrets, friends, facial features, where we live, play, and work, and more.
This kind of information is ripe for exploitation, whether that be commodification, fraud, identity theft, censorship, surveillance, or psychological warfare. While we ought to have control over our own data on principle, restoring, guarding, and exercising data sovereignty serves to combat exploitation of our data. As we continue this series, we'll expound further on the topic of data sovereignty, examining specific threats in more detail and discussing how we can mitigate them using various tools and techniques.
Is there a way to track the other articles in this series?