De-cloudify Your Life

6 years ago I gave different advice on this topic. But recent court decisions in the US have demonstrated repeatedly that they have no intention of limiting the third-party doctrine now that so much of our private information is in the hands of third parties. This means, for example, that you have no say in whether Google hands your emails over to the government. All that protects you is the third party's desire to keep people handing their information over, which means maybe they'll fight the government sometimes, at least when they think the public is paying attention.

But even if you trust the employees of every government that can exert power over Google, Facebook, AT&T, etc. not to abuse their access to your data, there are very different costs and incentives when it comes to protecting your private information. Yahoo and Equifax still exist despite losing the private information of every single one of their customers. Their shareholders have still made plenty of money. No execs have gone to jail or even lost a significant fraction of their wealth. But the damage that can be done to an individual or a family if someone gains access to their email account, their financial identity, or their cellphone is devastating.

The only solution to this problem, unless governments start actually caring about people's privacy in the digital world (as some governments have particularly in Europe, which might matter if it weren't for the American elephants in the room), is to stop handing your private information over to third parties wherever possible, and obfuscate, obscure, lie, or lock it down where you can't avoid it. As an example of "locking it down", every American should have freezes on their files with all the major credit bureaus. There is no avoiding it now. It won't help avoid losing your data, since it's already out there, but it can make it harder for people to use it to open lines of credit in your name.

You are already being profiled based on your social media posts and who's in your social network. If you must use Facebook or something like it, consider how important it is to you that your posts or friends list be publicly visible. You can't stop Facebook from mining your data if you use Facebook, and you can't stop governments from ordering Facebook to hand over your data, but you can at least stop people from scraping it by locking down your privacy settings. That will help a little, but Facebook itself (not to mention Google) is Big Brother's wet dream. Neither George Orwell nor Aldous Huxley, nor even Ira Levin writing in 1992 (This Perfect Day) imagined a surveillance system nearly as vast and powerful as Google or Facebook.

You can't even opt out of being tracked by the giants by not having an account, though that certainly helps. That's why using an adblocker is mandatory if you want any semblance of privacy, because even if Facebook and Google respect your privacy choices somewhat and have reasonable controls to prevent abuse of data, there are literally tens of thousands of shady companies using every technique in the book, including malicious ads served through the "legitimate" ad networks, to glean as much information as they can so they can sell it to the highest bidder. Personally, I use uBlock Origin with Anti-Adblock-Killer to prevent sites from detecting that I'm using an adblocker.

There are plenty of options when it comes to web browsers. I use Firefox myself because of its openness and extensibility. Safari is a decent choice as well, though OSX itself is as bad as Windows, if not worse, when it comes to security these days. ChromeOS is damn secure, but it's made by a company whose business model is based on surveillance, and it's a bit less convenient to use if you don't also use Google Drive, though at least Chrome's browser syncing uses end-to-end crypto and you can turn off tracking if you trust Google to honor that (I do, or I wouldn't work there). These days I'd say that even the average consumer can do well running a well-known user-friendly Linux distribution like Debian, Ubuntu, or Fedora. And if you're really paranoid there's always TAILS, which is quite user-friendly if limited in functionality. It's targeted at journalists and dissidents (hence the user-friendliness) and has been recommended by Edward Snowden.

For email, you could self-host if you're good with that sort of thing. But most people aren't, and even if they are, there's a good chance they won't be able to secure their server sufficiently, so email providers like ProtonMail or Tutanota represent a good compromise. I use and like ProtonMail myself, I am not affiliated with them aside from being a user. Both sites have a "freemium" business model and at least ProtonMail accepts Bitcoin (not sure about Tutanota) so you don't need to hand over your real-world details even if you decide to go for one of their premium options.

When it comes to cellphone/SMS number security, all I really know about it is that it's abysmal. I use Google Fi personally because I think Google understands and cares about security more than any traditional telco (note: I work for Google, though my opinions very much don't reflect theirs). If you're really paranoid, you might consider whether you need to carry a powered-on cellphone everywhere with you at all. Pagers are still available, and they don't track your location, at the cost of being unencrypted. But back when pagers were popular, the use of codes in pager messages and voice mails left with human receptionists was very common (my favorite was "bread and milk" meaning to buy condoms). Despite the breathless articles about hacks on cellphones, they generally don't do anything when they're powered off, so one could always carry a powered-off, pre-paid feature phone to respond to pages on their refurbished retro pager.

If you insist on a smartphone, I'm sad to say that Apple beats Google on privacy and security for the average consumer, because their business model is not based on surveillance. I personally don't like Apple's closed ecosystem because I am a fan of open source software, but I also know enough to avoid shady apps, and I understand what Android's permissions mean. Whether you go with iOS or Android, you need to make sure your phone is getting regular updates. The best way to do that with Android is to buy a phone that runs an unadulterated version of the OS like a Pixel, since modifications by a carrier or hardware vendor just add delays to updates. With an iPhone, just make sure your phone is less than 2-3 years old and install updates as soon as you get them.

Speaking of smartphones, standalone GPS navigators still exist and don't report your location. Many of them also have the ability to play MP3s from SD cards if you're able to give up Spotify and get really old school.

When it comes to cloud storage of files, you can either self-host (I run NextCloud on a server in my house), or use a storage provider or third-party software that supports end-to-end encryption. Apple's iPhone and iCloud win this one hands down for the average consumer nowadays, with MEGA as a close runner up if you prefer something more open. If you do feel confident self-hosting something like NextCloud, you also get fancy stuff like a built-in RSS reader, webmail client, ebook library, integration with Google Docs-like self-hosted services, and all kinds of other apps. Please let me know in the comments if you'd like me to do a full post on self-hosting!

Oh, and in case you don't know what I mean by "end-to-end encryption", that means that the encryption is done on the end-user's device, with the keys never entering the hands of a third party. iPhone/iCloud qualifies even though Apple technically has the keys, because Apple has implemented a clever mechanism that ensures that only the end user can get at the backed up key.