Stop Confusing Privacy & Anonymity (and Security)

Why are staff posts always pinned?

We do it to all articles and videos for a few days: Pin new articles for a period of time

You can unpin them by just clicking the pin icon, or they should be unpinned automatically once you interact with the post.

Thanks for the feedback on the subtitles I will double check this today, and get it fixed! Thanks

Thanks, I thought we had to open the post and scroll all the way to the bottom which is a pita.

I am not sure these terms actually refer to the same thing. When people talk about the “data economy” they are usually referring to the collection and sale of data by data brokers, whereas “surveillance capitalism” refers to the widespread collection and use of data by large corporations. (Sure, these are highly related concepts)

Google arguably does not participate in the digital data economy because they do not really have or participate in an ecosystem where data is shared between parties. However, they certainly benefit from their own private mass surveillance programs when it comes to targeting their own advertising programs.

This is different than what we are doing, because we are not referring to the United States’ (or other Western governments’ activities) as “surveillance capitalism” in the first place. We are referring to mass surveillance programs run by private corporations.

When it is the United States (or other governments) doing it to its citizens, we just call it “mass surveillance.”

I love how well made these videos are!

Okay help me out here.

Using signal as an example of privacy (“the assurance that your data is only seen by the parties you intend to view it”) makse sense to me

The definition of security also makes sense. But then saying HTTPS certificates are about security seems a little less clear. (“Certificates prove you’re talking directly to the websites you’re visiting. And keeping attackers from reading or modifying the data sent to or from the website”)

It seems like we’re almost describing the same thing. Obviously, HTTPS encryption (to the server) isn’t the same thing as end-to-end encryption (to another user). But the general idea is still the same: in both examples (Signal and HTTPS), we’re trying to make sure no one can read or modify our data. Right?

As someone who both geeks out on this stuff a lot AND still has a hard time explaining the difference between security and privacy, I’d love to see an example for security that is more clearly different than the privacy example. My two cents!

The difference is mainly that end-to-end encryption (e.g. Signal protocol) protects you from all intermediaries (including the service you’re using itself), whereas mere transit encryption (e.g. HTTPS) only protects you from attackers in the middle of your network connection.

The example with HTTPS certificates does probably make the most sense in the context of apps like instant messengers though, where there are two parties communicating, plus a server in the middle.

In cases where the only two parties are involved are you and the server, you could certainly argue that HTTPS is acting in the same way Signal E2EE is (ensuring that the party you are connecting to is the only one able to read the data) and that there is a privacy benefit. So yes, I will give you that this example is a bit ambiguous, and we’ll consider that when we give future examples.

A different example for security could be adding Two-Factor Authentication to an account. It doesn’t change at all who can access your data under normal circumstances, but it significantly improves your protection against data breaches, credential stuffing, etc.

There isn’t a misconception, but conflation?

An interesting point I’ve come across is:

From information privacy perspective, some (mostly, advocates of privacy as control / choice) argue that anonymity is an incomplete (!) take on privacy, and that anonymity is table stakes. That is, a service / app that doesn’t have anonymity is not private (since the choice / control to go anonymous has been already made by the developer / provider).

My number one frustraton when speaking with people about privacy is that they assume I’m talking about anonymity. They think I’m trying to go under and hide from the government.

Intro

• The video started good wrt Signal not being private because it requires a phone number.
• Addressing the nuance of threat models in the beginning was also very good.

Definitions

“Privacy: The assurance that your data is only seen by the parties you intend to view it.”

I prefer saying this as “The ability of an individual to selectively disclose themselves” but it’s practically the same definition.

“In the context of an instant messenger for example, E2EE provides privacy by keeping your messages visible to only yourself and the recipient.”

This is not the definition of IM privacy. Instant messengers have two aspects to their privacy, content and metadata. Unless you’re going to explain which ones are protected, and how, you’re not doing any favors by just using blanket statements like “it’s private”. E2EE only provides content-privacy.

“Security: The ability to trust the applications you use, that the parties involved are who they say they are, and keep those applications safe.”

No, security means you remain secure from your absolute threat model. Also, the sense of security means you remain secure from your perceived threat model. These two are not the same. The issue is only an oracle would know your absolute threat model with utmost certainty, so you need to utilize different heuristics, an publicly available information on threats to create an estimate, then do cost-benefit-analysis for your situation about where you should take precaution and where you should take risks.

Computer security is a wider concept than

• Trusting company policy, or using trustless (privacy by design) systems, i.e. ones that you can verify from open source and preferably, reproducible builds.
• Authenticity (to verify parties involved), and
• “Keeping applications safe”? This is way too vague and sounds like a circular definition. Safe in what way? Patched from vulnerabilies? Latest in protocol design and primitives used?

E.g. availability is an integral part of computer security, not covered by these.

“In the context of browsers, security is provided by certificates”

Certificates are about providing confidentiality, integrity and authenticity, i.e., the cryptographic CIA triad.

Confidentiality means content-privacy. When browsing, TLS is effectively end-to-end encryption between you and the server('s load balancer). Integrity ensures data isn’t changed during delivery, and authenticity tells you that you’re really talking to privacyguides.net server infra.

Certificates do NOT protect the source/destination IP that tells to which service you’re talking, and if my threat model includes a threat where my ISP learns I visited the IP hosting fightthefascism.com, then certificates do not provide security.

“Security and privacy without anonymity”

Calling Signal private is meaningless because it conveys nothing about its constraints.

It’s end-to-end encrypted, this means it provides content-privacy. It’s open source, with some reproducible builds, it’s content-privacy can be provided by users. This is the gold standard, so we call it content-privacy by design.

Signal requires your phone number, and its server has the theoretical ability to collect user metadata, just like WhatsApp does. Signal chooses not to do that, and we have court docs to show this, so we know it’s protected by Signal’s policy. Thus we say signal provides metadata-privacy by policy.

“Your messages are metadata are encrypted”

This is lazy. Messages are end-to-end encrypted, metadata such as phone numbers are encrypted with key Signal controls, so the best you could say, is the phone number is providing mediocre protection against someone compromising Signal’s servers. Signal has no trouble handing out the limited set of metadata of user by phone number based on court orders, so lumping encryption of phone numbers together with the state-of-the art end-to-end encryption it provides, either dilutes the E2EE nature of content, or, it misleads about the level of security phone numbers have on server side.

“Privacy without security or anonymity: A VPN shifts the traffic from your ISP to your VPN provider. By making this change, you’re controlling who can see your internet traffic. Your IP-address is still known by the VPN provider, so that they can provide you with the service. This means you won’t be anonymous. VPNs also don’t offer security benefits over not using one.”

If my threat model includes my ISP doing DPI over my data going to some server, a VPN absolutely provides security against that particular threat. VPN provides content-privacy for HTTP sites against the ISP and script kiddies hanging around the airport WiFi. A VPN anonymizes your queries to your non-VPN DoH DNS provider.

“Chromebooks are considered some of the most secure computing devices. However, they are deeply embedded with Google’s software. Google is known for tracking and profiling their users, and invading their privacy.”

If your threat model includes loss of anonymity or privacy, they you don’t have security with Chromebooks.

If you do not care about Google or NSA exploiting your data, but your threat model includes some criminal breaching the device, then, sure, it’s providing decent security against your threat model. Yes, the author talked about the nuance in the beginning, yet it seems to be missing in these examples. My main gripe is not with the general intention, but extremely poor definition of security.

“Anonymity without security: Cash”

And now security widens to the non-digital world: “you can’t get your money back”. Yes that’s a threat in your overall threat model. Security is a larger topic than computer security.

“Targeted attacks: Being protected from hackers or other malicious actors who are trying to gain access to your data or devices specifically. Common attacks include sending malicious documents by email, exploiting vulnerabilities in e.g. in browser/OS, and physical attacks. If you’re worried about targeted attacks, you should be focused on utilizing tools that offer additional security benefits. Depending on the level of the risk, this may mean sacrificing privacy for the benefit of extra security.”

No example was given here, but from what I read between the lines, is using Chromebook or iDevice to guard against state surveillance. This might work if your threat model includes CCP. Not if it includes the NSA. So again, it depends on your threat model.

“Anonymity: Anonymity is the complete dissociation of your online activities from your real life identity. Conversely, you shouldn’t use tools that provide anonymity when your anonymity is known. For instance, logging into your bank account while using Tor is likely to trigger security measures from your bank, and it will link your real life identity to your Tor session.”

This is good OPSEC advice. But anonymity is much more complex topic, as it includes mainly metadata-privacy, but also content-privacy. What you know and say, and how you say it (vocabulary, use of parenthesis etc) can many times deanonymize you.

“Surveillance capitalism: For many people, tracking and surveillance by private corporations is a growing concern. Pervasive ad networks such as those operated by Google and Facebook, span the Internet far beyond just the size they control, tracking your actions along the way. Utilizing browsers that thwart tracking technologies can trow off advertising tracking, and protect you against these types of privacy risks. However, using a privacy-focused browser doesn’t make you anonymous, but it does make you more private by reducing the ability for web-sites to track you across the internet.”

Web tracking is like a game of guess-who, where you expose yourself with small pieces. You like to browse red Audis? That filters out 80% of web users. You like to check available movies after that? That filters out 99.999999% of Internet users. You have unique persistent canvas fingerprint ID? Now enabling the VPN is useless in protecting your identity against the server.

“Just because one tool doesn’t offer privacy, security and anonymity, doesn’t mean you shouldn’t use it. You need to evaluate what you realistically need for your situation.”

The part that talks about adjusting different tools to fit your threat model is sound advice. Messing up the definitions once again, does disservice to the community.

Security is not lack of vulnerabilities, or general defensively programmed system. Security is state of being safe from your absolute threat model.
Privacy is not the same as E2EE. Anonymity is not “using Tor”.

I beg everyone here, especially the staff, reads what I wrote in The collective misunderstanding of Privacy vs Security vs Anonymity.

We really, really, really need to fix these distinctions, and this video once again failed to understand the relationship between these terms, and thus, miseducated the community.

Thanks for you extensive feedback markus, very much appriciated, we will be discussing this and come back on this.