Saw this floating around. Seems like they have zero interest in privacy preserving mechanisms as part of their open letter, and has focus on security for organizations.
I would disagree on bluetooth and NFC for two/thres main reasons
- Bluetooth could theorically be used for tracking devices, like wifi.
- The fact there hasn’t been a lot of Bluetooth or NFC exploits doesn’t mean there couldn’t be. Grapheme OS themselves said they don’t do much extra protection for wireless threats. Doesn’t mean it doesn’t exist, just that it hasn’t been used yet.
- There just isn’t any good reason to have Bluetooth always on.
While the letter has some merit, it fails to treat privacy as an important part of security. Most signatories have current or former government/corporate affiliations so beware of such bias in the letter.
Privacy protections that not classed as “security” are out of scope. Quote from their FAQ.
Do I need to do anything above the basics to protect my privacy?
Privacy in the modern era is complex, and it involves many factors that fall outside the scope of this site.
I went through each of what they call “outdated advice.” In the letter, the first three points use absolute words like “never” and “avoid,” perhaps because some people who give advice use those absolute words, but in my experience I’ve seen similar advice that has more nuance.
- Avoid public WiFi
Worded in this manner, false/outdated advice. In the context of securing connections between wifi devices, the concerns outlined are gradually becoming less relevant as wifi networks transition from obsolete protocols like WEP to newer ones like WPA3, but wifi users generally don’t have a choice of wifi encryption protocol when they connect to a wifi network and may end up connecting without adequate wifi encryption. Wifi networks and ISPs have access to traffic sent in plaintext, for instance DNS queries. Further, there’s the possibility that someone in the same location sets up a malicious wifi network that appears legitimate. Securing connections using a VPN, Tor, etc. is still good advice.
- Never scan QR codes
Worded in this manner, false/outdated advice. However, it’s still unwise to scan QR codes from untrusted or unknown sources, such as a random one stuck to a wall or post in public, if the QR code scanning app automatically fetches URLs or performs other actions as soon as a QR code is scanned. I recommend using a QR code scanning app that presents the scanned data to the user but doesn’t automatically interpret the data it scans, and that people evaluate scanned data before taking any further action upon it.
- Never charge devices from public USB ports
Worded in this manner, false/outdated advice. The letter argues there are very few instances of juice jacking in the wild and the advice is becoming outdated as people transition to modern devices. People who use a device that doesn’t have the protections outlined in the letter may want to carry their own charger that can plug into public power plugs, or use a USB condom that physically guarantees no data transfer between the charging device and an untrusted USB port.
- Turn off Bluetooth and NFC
Calling this advice outdated completely ignores the privacy implications of leaving Bluetooth turned on. Same for wifi and cellular capabilities. While pairing/connecting may involve user consent, emissions from the device before pairing/connecting (for discovering nearby devices) generally have no user input other than turning the capability off completely.
- Regularly “clear cookies”
While tracking has evolved to methods beyond cookies to fingerprinting and persistent unique identifiers like IP addresses, it doesn’t mean cookie tracking via cookies is no longer relevant. However, I can see how practicing this conflicts with keeping accounts signed in persistently.
- Regularly change passwords
This is the one I agree is the most outdated/obsolete and damaging. That said, passwords that are normally exposed to public view upon each use may warrant regular change, like the codes/patterns people use to unlock their smartphones.
Many people pair wireless earphones to their smartphones. Whether that is a good reason or not, to me it isn’t, but they may consider wireless earphones a necessity.
Just enable it when you need to connect.
They “need to connect” all the time 