Intro
- The video started good wrt Signal not being private because it requires a phone number.
- Addressing the nuance of threat models in the beginning was also very good.
Definitions
“Privacy: The assurance that your data is only seen by the parties you intend to view it.”
I prefer saying this as “The ability of an individual to selectively disclose themselves” but it’s practically the same definition.
“In the context of an instant messenger for example, E2EE provides privacy by keeping your messages visible to only yourself and the recipient.”
This is not the definition of IM privacy. Instant messengers have two aspects to their privacy, content and metadata. Unless you’re going to explain which ones are protected, and how, you’re not doing any favors by just using blanket statements like “it’s private”. E2EE only provides content-privacy.
“Security: The ability to trust the applications you use, that the parties involved are who they say they are, and keep those applications safe.”
No, security means you remain secure from your absolute threat model. Also, the sense of security means you remain secure from your perceived threat model. These two are not the same. The issue is only an oracle would know your absolute threat model with utmost certainty, so you need to utilize different heuristics, an publicly available information on threats to create an estimate, then do cost-benefit-analysis for your situation about where you should take precaution and where you should take risks.
Computer security is a wider concept than
- Trusting company policy, or using trustless (privacy by design) systems, i.e. ones that you can verify from open source and preferably, reproducible builds.
- Authenticity (to verify parties involved), and
- “Keeping applications safe”? This is way too vague and sounds like a circular definition. Safe in what way? Patched from vulnerabilies? Latest in protocol design and primitives used?
E.g. availability is an integral part of computer security, not covered by these.
“In the context of browsers, security is provided by certificates”
Certificates are about providing confidentiality, integrity and authenticity, i.e., the cryptographic CIA triad.
Confidentiality means content-privacy. When browsing, TLS is effectively end-to-end encryption between you and the server('s load balancer). Integrity ensures data isn’t changed during delivery, and authenticity tells you that you’re really talking to privacyguides.net server infra.
Certificates do NOT protect the source/destination IP that tells to which service you’re talking, and if my threat model includes a threat where my ISP learns I visited the IP hosting fightthefascism.com, then certificates do not provide security.
“Security and privacy without anonymity”
Calling Signal private is meaningless because it conveys nothing about its constraints.
It’s end-to-end encrypted, this means it provides content-privacy. It’s open source, with some reproducible builds, it’s content-privacy can be provided by users. This is the gold standard, so we call it content-privacy by design.
Signal requires your phone number, and its server has the theoretical ability to collect user metadata, just like WhatsApp does. Signal chooses not to do that, and we have court docs to show this, so we know it’s protected by Signal’s policy. Thus we say signal provides metadata-privacy by policy.
“Your messages are metadata are encrypted”
This is lazy. Messages are end-to-end encrypted, metadata such as phone numbers are encrypted with key Signal controls, so the best you could say, is the phone number is providing mediocre protection against someone compromising Signal’s servers. Signal has no trouble handing out the limited set of metadata of user by phone number based on court orders, so lumping encryption of phone numbers together with the state-of-the art end-to-end encryption it provides, either dilutes the E2EE nature of content, or, it misleads about the level of security phone numbers have on server side.
“Privacy without security or anonymity: A VPN shifts the traffic from your ISP to your VPN provider. By making this change, you’re controlling who can see your internet traffic. Your IP-address is still known by the VPN provider, so that they can provide you with the service. This means you won’t be anonymous. VPNs also don’t offer security benefits over not using one.”
If my threat model includes my ISP doing DPI over my data going to some server, a VPN absolutely provides security against that particular threat. VPN provides content-privacy for HTTP sites against the ISP and script kiddies hanging around the airport WiFi. A VPN anonymizes your queries to your non-VPN DoH DNS provider.
“Chromebooks are considered some of the most secure computing devices. However, they are deeply embedded with Google’s software. Google is known for tracking and profiling their users, and invading their privacy.”
If your threat model includes loss of anonymity or privacy, they you don’t have security with Chromebooks.
If you do not care about Google or NSA exploiting your data, but your threat model includes some criminal breaching the device, then, sure, it’s providing decent security against your threat model. Yes, the author talked about the nuance in the beginning, yet it seems to be missing in these examples. My main gripe is not with the general intention, but extremely poor definition of security.
“Anonymity without security: Cash”
And now security widens to the non-digital world: “you can’t get your money back”. Yes that’s a threat in your overall threat model. Security is a larger topic than computer security.
“Targeted attacks: Being protected from hackers or other malicious actors who are trying to gain access to your data or devices specifically. Common attacks include sending malicious documents by email, exploiting vulnerabilities in e.g. in browser/OS, and physical attacks. If you’re worried about targeted attacks, you should be focused on utilizing tools that offer additional security benefits. Depending on the level of the risk, this may mean sacrificing privacy for the benefit of extra security.”
No example was given here, but from what I read between the lines, is using Chromebook or iDevice to guard against state surveillance. This might work if your threat model includes CCP. Not if it includes the NSA. So again, it depends on your threat model.
“Anonymity: Anonymity is the complete dissociation of your online activities from your real life identity. Conversely, you shouldn’t use tools that provide anonymity when your anonymity is known. For instance, logging into your bank account while using Tor is likely to trigger security measures from your bank, and it will link your real life identity to your Tor session.”
This is good OPSEC advice. But anonymity is much more complex topic, as it includes mainly metadata-privacy, but also content-privacy. What you know and say, and how you say it (vocabulary, use of parenthesis etc) can many times deanonymize you.
“Surveillance capitalism: For many people, tracking and surveillance by private corporations is a growing concern. Pervasive ad networks such as those operated by Google and Facebook, span the Internet far beyond just the size they control, tracking your actions along the way. Utilizing browsers that thwart tracking technologies can trow off advertising tracking, and protect you against these types of privacy risks. However, using a privacy-focused browser doesn’t make you anonymous, but it does make you more private by reducing the ability for web-sites to track you across the internet.”
Web tracking is like a game of guess-who, where you expose yourself with small pieces. You like to browse red Audis? That filters out 80% of web users. You like to check available movies after that? That filters out 99.999999% of Internet users. You have unique persistent canvas fingerprint ID? Now enabling the VPN is useless in protecting your identity against the server.
“Just because one tool doesn’t offer privacy, security and anonymity, doesn’t mean you shouldn’t use it. You need to evaluate what you realistically need for your situation.”
The part that talks about adjusting different tools to fit your threat model is sound advice. Messing up the definitions once again, does disservice to the community.
Security is not lack of vulnerabilities, or general defensively programmed system. Security is state of being safe from your absolute threat model.
Privacy is not the same as E2EE. Anonymity is not “using Tor”.
I beg everyone here, especially the staff, reads what I wrote in The collective misunderstanding of Privacy vs Security vs Anonymity.
We really, really, really need to fix these distinctions, and this video once again failed to understand the relationship between these terms, and thus, miseducated the community.