Please provide feedback on my setup

General
1

Hi everyone,

Longtime lurker here. I really appreciate the work of Privacy Guides, and am just beginning my journey. I would be so grateful to receive feedback on the setup I’m planning as related to my goals (and threat model). I thank you in advance for taking the time to do so. :slight_smile:

My goals:

  • to keep my personal information as private as possible,
  • to not contribute to the unethical practices of big tech (e.g. Google, meta, Amazon, etc),
  • to be an ethical consumer,
  • to have a pseudonym under which I engage in political commentary and activism (nothing edgy, really - just social justice),
  • to entirely keep my employer (and prospective employers) has no knowledge about my connection to my pseudonymous activities (formal consequences could mean job loss, or lost job opportunities, while informally my life at work could just be made more difficult if my pseudonymity were blown)
  • To ensure almost* everyone else has no knowledge of my connection to my pseudonymous activities

* - While I do not want to be frivolously exposed to government and law enforcement, I am not terribly concerned about CSIS (I’m Canadian) being able to figure out who I am should they devote the resources to doing so. I am not engaging in illegal or offensive activity, and frankly they wouldn’t waste their time looking at me.

My setup:

  • Samsung phone is my primary device (secondary device explained below) and gets security updates for a few years, and will be replaced when it doesn’t.
  • All location services off
  • Brave browser (aggressive anti-tracking, no autofill, info auto deletes upon closing app)
  • Duck Duck Go browser (aggressive anti-tracking, no autofill, info auto deletes upon closing app)
  • Nord VPN (looking to switch to Proton, IVPN, or Mullvad)
  • A new Google email so I can use android. I won’t use it. I plan on using proton or tutanota (native apps)
  • Proton drive
  • Ente for photos
  • All news “apps" are web based applications installed from Brave. No native apps
  • AntennaPod
  • Bluesky native app (for my pseudonym)
  • Reddit (browser only) (same pseudonym)
  • Instagram (browser only) (same pseudonym)
  • Will eventually get a .ca domain named after my pseudonym.
  • Banking app
  • Standard notes
  • Substack app (bad idea?)
  • Bitwarden for all my passwords, 20+ characters each
  • Exif Eraser

Here is where it gets messy…

I have a separate device with added hardware for my music setup (no Bluetooth - wired connection only). It is an old Samsung (no longer getting security updates), and I feed it a connection via my primary device’s hotspot. Could this expose me or be an additional attack vector/surface?

Considerations

  • Should I go all-in on proton’s mail, calendar, drive, and VPN? Or should I decentralize my patronage? I ask because proton’s mail and calendar app seem really sleek and easy to use.
  • Is Graphene OS actually safer? I worry about using a device that will actually be less safe and expose me to attacks, stealing my data and identity. Or making me otherwise standout online for using such a unique OS (if that can be identified)
  • Lastly, spending money on a device right now isn’t quite (yet) in the books…
  • I plan on getting a laptop some day - but can’t afford it yet, and am doing everything by phone

I’d appreciate all feedback. And please feel free to challenge my goals as well. It’s possible I’m misguided. :slight_smile:

2

Graphene OS is indeed more secure than stock android, as the developers of Graphene OS dedicate extensive effort to hardening core components of the operating system and using secure hardware (google pixels, Motorola device coming soon). Of course the security hardening of Graphene OS alone can not guarantee a net privacy or anonymity win for your threat model.

On the Proton note, I would discourage you from putting all of your eggs in one basket. Personally I like many of the offerings Proton brings to the table, but putting to much dependence on a single provider can lead to a single point of failure risk which you must evaluate for yourself (is the convenience worth the security trade off). Further you may consider using proton for your pseudonym but non proton services for your real/other identity for an added layer of seperarion.

With regards to your networking/hotspot question I am not sure[1], but I would air on the side of an advanced enough adversary could correlate these devices and “unmask them”. I do not think this networking setup adds any significant attack surface beyond if you were just connecting the outdated Samsung directly to WiFi, though I would discourage connecting such outdated devices to the internet where possible/feasible.

  1. I only have so much data, and my in depth knowledge of android networking is somewhat limited, others may be able to help you with this. ↩︎

1 Like
3

What you’ve outlined is generally sound for your initial use case of a private and ethical setup. Some quick wins to consider:

  • Create a separate Android profile for your pseudonym and your real-life identity (if you’re currently using a single profile). This reduces the risk of accidentally leaking information between identities.
  • Consider replacing one of your browsers with the Tor Browser for Android, depending on how you use it.
  • Use a non-Google keyboard to avoid sending typing data to Google, such as Florisboard or FUTO keyboard.

For activism, the protections you need depend on the type of activity:

  • For in-person actions that could attract law-enforcement attention (e.g., anti-government or anti-police protests), a GrapheneOS device can defend against targeted attacks; alternatively, simply not bringing a phone is effective.
  • For online-targeted activism, use email aliasing to add a layer of protection against attackers trying to access your domain registrar, web host, or accounts exposed in data breaches.

About using your phone as a hotspot: I can’t assess specific risks here, but set an ambiguous SSID since SSID mapping can reveal associations.

Specific recommendations:

  1. Proton as an all-in-one solution is acceptable. The downside is that a targeted attacker who compromises one set of Proton credentials could access drive, calendar, and mail. As an alternative, consider splitting services - for example, Tuta for mail/calendar, Proton for drive and VPN, and SimpleLogin for email aliasing (which is included with Proton subscriptions).
  2. GrapheneOS offers stronger protections than stock Android: better VPN-leak prevention, no Google account requirement, hardening against many modern phone attacks, and features like a duress PIN to wipe the device if necessary among other things.
4

Hey, thanks for your response. Yeah, hotspotting to WiFi is tricky because I want to use it at work and prefer my employer not be privy to what I listen to (rock, rap, heavy metal, etc can be pretty edgy, kids!). As for it being an unprotected device, I am not too worried, as all I have on there is Spotify and some niche audio apps. But the hotspotting is definitely a vulnerability. I’ll have to ponder it…

Thanks for noting separation. I’ll do that. To pay for services, like email, calendars, vpns and clouds, should I use an online refillable credit card?

5

Thank you for taking the time to respond. Yes, if I’m to do separate android profiles, do you mean on the same device? Because at that rate I’d think just go with GrapheneOS on a brand new device. And so I ask:

  • Is getting a subsidized device from a carrier acceptable? If I get a pixel 10 and load GrapheneOS to it, would that protect me from the carrier’s bloatware or surveillance?
  • Would I not be having the hotspot problem if I do this, unless I open a whole new line (holy cow batman my wallet)?

I really like the idea of separate devices, and am trying to game that out…

6

Warning about carrier devices. Some Cell carriers[1] will lock the boot loader and prevent you from loading alternative android distributions or operating systems.

  1. I’m not sure this really applies to Canada, but it is worth looking into before committing. ↩︎

2 Likes
7

Yes that seems like a reasonable payment method given your stated goals.

8

Have you tried Notesnook? The free version allows 50MB/Month attachments so 600MB/year for free.

Maybe look into free Duck.com aliases by duckduckgo. Really useful.

If you just want the “privacy” aspect of ProtonVPN then I think culling the NordVPN sub might be worth it. ProtonVPN is free.

You can try infinity (self built with the script) for reddit. Much better than the original app.

9

This depends on which part of the network you’re talking about

If you’re talking about websites, then maybe. Sites can try to deduce what browser you’re using. If they detect that you’re using Vanadium (the default browser of GOS), then they can pretty confidently say that you’re on GOS, since that’s the only platform Vanadium is currently available on. (Vanadium does make best effort to try & appear as standard Android Chrome.) If you’re using another browser, then that chance is less & you could blend in with other Android users more (if using a potentially less secure browser than Vanadium is an accetable trade-off for you).

If you’re talking about apps, they can deduce that they’re running on GOS from the publicly available info that all installed apps can access. It’s another question whether they’re actually doing so or not; it’s hard to tell, especially with proprietary closed-source apps. I’d say it’s a value judgement: do you value the privacy & security benefits GOS provides more than the chance that a specific app might know that you’re using GOS? You’ll have to make that call yourself.

GOS makes a bunch of default connections, but they’ll all be routed through your VPN when one is available; the only exception being the Network connectivity checks. Those can be changed to go to the Android standard Google server which most Android devices use, so that way you’ll blend in with other Android devices. So if you’re using a VPN & have changed the connectivity checks server to the standard Google server, you’ll appear as a regular run-of-the-mill Android device to any listeners on the network.

Since you’re on Samsung, let’s set the baseline first. Go to your settings, find the app list, enable viewing of the system apps, and then find an app called Google Services framework (GSF) and check its permissions. It will have quite the bit, such as your location, phone, camera, microphone, nearby devices, contacts, physical activity & more. Google can see all of that & I’d bet they’re not just keeping it to themselves. My personal favorite of the permissions GSF has is the Draw over other apps permission: as stated by the permission itself, it allows the app to see what locations you’re tapping on the screen. And since your keyboard is in a standard location all the time time & GSF can see where you’re tapping…

The questions is, do you trust GSF (and whatever similar apps Samsung might have embedded into your phone that do the same thing) not to abuse their access? Maybe you do. Maybe you don’t. I can’t make that call for you. All I can say is that I sure don’t trust Google or Samsung with such access to my phone; not in a million years. That’s why I use GOS. It doesn’t have any of the stuff which you just saw on your current phone.

I’d say you’re well on the right track even considering using GOS. I highly recommend it & I’m sure most others who use it can recommend it as well. And if you ever need to go over more technical questions of GOS, whether regarding usage or installation, the GOS Forum has a bunch of knowledgeable people ready to help.

Good luck on your privacy journey, whether you decide to use GOS or not. :grin:

I am not a native English speaker. I speak for myself, my opinions & statements are my own, and I am not a part of the GrapheneOS project or team, nor do I represent them.

3 Likes
10

+1 for the GrapheneOS forum, I’ve been able find answers to many of my questions related to GrapheneOS app compatibility and troubleshooting thanks to the knowledgeable folks over there.

1 Like
11

Fantastic post. Thank you.

Yup, I’ll be getting a pixel with grapheneOS. The concern though is that they’re expensive, and I’d like a refurb. But I’m concerned the used device will be associated with a former user’s nefarious activity… Perhaps it’s me wearing a tinfoil hat…

12

Talking about me? /s

If you get a refurb one, you might want to check the IMEI to confirm it is not banned from connecting cell network.

1 Like
13

Hahahahah :slight_smile:

I love your name. And yes, I shall do so!

What I worry about, too, is that the IMEI was formerly used by someone engaging in illegal activity. I’m concerned about being on the radar of police even though I’ve done nothing wrong. :confused:

14

I wouldnt concern about it too much, if LE knew what device exactly a suspect is using, they would have known it changed hands when you activate the device again and registered at another place with another SIM.

It would not be the only lead LE has.

And tbh the chance you acquire a used device previously owned by a criminal is very slim, if you head to a chain stores.