I have been lurking for a while, and been ignoring my privacy for longer. I feel like its time to get started now, however I have a couple of questions, that are blocking me…
Threat level wise i am not too concerned about being hacked or similar, for me it mostly boils down to being in control of my data, and who I choose to share it with.
The country i live in is highly digitalized, to the point where we have several more or less mandatory apps, from the government, with more coming every year. Which means I need a smartphone (been trying a dumbphone for a year, didnt work out for me). Unfortunately, it seems like multiple of the apps, require the google integrity api, making the switch to GOS something I would like to avoid at this point. (Unless you tell me, what I write below, is impossible to achieve without) I’m currently on an iPhone.
Here comes the questions:
I seem to have gotten a pretty good grasp of fingerprinting in browsers, but is safari with the suggested tweaks here, good enough?
I have had a hard time, finding out more about device fingerprinting. Can I stay on iOS, and use apps like Spotify, without risking that whatever data they have on me, is linked to my “new browser personality”, making the other efforts redundant. (I think my “greatest fear” when starting this, is doing everything right, only to mess up once, and have my anonomous data, linked to my old online persona.)
My email and phone number is spread across the internet, as I have been using the same for a while. When I swap from Gmail, to another mail service, should I then go around and change my email on the user accounts I need to keep, to an alias, or would I need to create new accounts? Same for phone number, i cant really change to a new one, I would be able to get a burner nr, I could change once a year though. Would that make any difference?
That was some concrete examples, but in general, how do i avoid, being linked to my “old” online persona, if that is even a thing, or just an unjustified fear of mine.
Bonus questions:
If I trust my isp, would I get any benefit by using a vpn?
If I live in the eu, do I get any benefit from these data removal services?
Sorry for the long post, hope it makes sense, orherwise im available for followup questions.
Spotify can’t know what you’re browsing in another app. They will know your IP address and what you do on their service, obviously.
Create new accounts with aliases and strong passwords using your password manager if you can/wherever you can. Elsewhere, change your email and password regardless.
If you let the phone number be since its already out there, you can still get a new number for yourself for your personal use that you share with select people only. Or get a jmp.chat number for your needs and use that wherever possible.
Delete old accounts you no longer use. CHange account detail like you are already thinking about. And remove yourself from social media and your photos if you can. The next big step is removing your data from data broker companies/entities which is a whole other thing.
Not really. VPN is to obfuscate your ISP from knowing what you do. If you go to an adult site or torrent a file, they will know. Are you okay with it? If not, use a VPN always for any and all internet activities.
Smartphones (not just iOS) have sandboxing, so Spotify can’t access your browser data or vice versa. They can fingerprint your device, so they will collect data about your OS, IP address, time zone, etc. If you use Spotify from a web browser, they can collect your browser cookies, so that’s the “new browser personality” you’re talking about, but you can set-up multiple browser profiles if you’re concerned about browser fingerprinting.
If you really need to keep your account, just change your personal details. You have to think about what you’d lose if you delete your account. For example, I can’t delete my Steam account because all of my games are tied to that account that I’ve had for about two decades. But when I started my privacy journey, I made a new Amazon account and deleted my old one since I don’t care about my order history from my old account. As for phone numbers, you don’t necessarily have to change your phone number, but you should get multiple phone numbers to compartmentalize. For example, you might not want to use the same phone number for personal and work, or the same phone number for shopping and banking. If you can’t get multiple phone numbers, think about your threat model before you decide to give another service your phone number. Do they need your phone number? And do you need to use their service if they require a phone number?
Compartmentalize. Use e-mail alias, different phone numbers, different usernames, maybe even different names if you can get away with it. If you still use social media, create different accounts that isn’t tied to your social media. If my Twitter username is bob123 for example, unless I want to direct my followers to another social media account, my TikTok account would be john123. I’ve even used Spiderfoot and Wayback Machine to find archives of my old social media accounts and had them removed.
The endpoint will collect your IP address, which is any websites you visit. If you’re not concerned about that, you probably don’t need a VPN, but I do think VPNs do fit every threat model.
EU has GDPR. Just request your data to be removed. They will do it within a month, but depending on the service, they’re also required to keep your data for 6 years. Doing it manually is better than using any data removal service, not that I’ve used any myself.
In my opinion when someone starts a privacy journey and begins to lock down services and stuff there’s something often overlooked: backups, and in particular 2FA.
Be wary to not fall in a catch22 situation where you need to access your mail which needs a 2FA code which is locked in a password manager that needs also 2FA.
If you lose access to your authenticator app/service (like your phone) you could end up being locked out.
So be sure to have regularly updated local and remote backups of master password, 2FA, seeds and recovery codes.
I don’t think that making new online accounts achieves anything. The first step in a privacy journey should be to limit data exfiltration by dis-services such as social media, streaming platforms and “cloud” platforms. Get rid of Internet-of-Shit devices (aka “smart appliances” connected to the Internet), pull the fuse or physically disable the cellular modem in your car if there is one. Install Linux on your PC. Next time you upgrade a phone, buy a Pixel and flash Graphene (keep the iPhone for those “indispensable” government apps.) Use cash or crypto whenever practical.
I understand, that Spotify cant access information about other apps, I was more thinking that wont they know im the same guy, even though I change account, if I log in on the same device again?
Is there anyway to “reseed” or something, so my device looks like a brand new one?
And if I swap to web Spotify, wont the issue be the same when i still Connect from my home network?
(Btw im not really sure I am concerned about Spotify specifically, that was just an example)
I also Saw some of you mention smart devices. How about smart tv’s, Apple TVs, and similar. Is there anything to be done about those devices?
You can block some telemetry using a DNS service or custom firewall rules. PiHole is one example and some routers provide similar functionality. Your smart devices can be pointed at a locally hosted DNS service to determine whether a destination is ok to contact. If it appears on a list of telemetry services the connection is blocked. The same logic applies to advertisements and malware sites. Some VPN or public DNS providers offer this functionality too. This can interfere with the intended functionality of your device and some websites will break. I’ve never had a problem personally.
These devices should always be avoided, since they either track the user directly, or enable tracking by the apps running on them. The solution I usually propose is to repurpose the TV as a “dumb” monitor for a Linux HTPC (usually a mini PC, or perhaps an old laptop).