When privacy experts like Michael Bazzell say, “I use this browser or this program,” I often wonder why they are so open about what they use. Don’t they consider the risks of sharing this information for privacy purposes?
I sometimes suspect that there might be legal reasons behind their openness, such as needing to disclose what programs or software they use if called to court. Is this transparency for legal reasons, or is there another reason they are so open? Could this information potentially be used by governments or hackers to compromise their accounts?
Any insights or thoughts on this would be appreciated!
I don’t think it’s exceptionally risky, it might be considered a “opsec fail” depending on who you talk to. Ideally, the less someone knows about you the better. But lets get real, Edward Snowden was very open about his usage of Tails and that hasn’t compromised him or other Tails users yet. In fact that popularity and exposure made Tor’s network even more resilient because the more people that use it the better obfuscated it’s users are.
All privacy tools pretty much boil down to one thing implemented in various different ways…encryption. Encryption is hard (if not impossible) for even global adversaries to break. And even when they do get past encryption, it’s typically never due to breaking the encryption, but rather other techniques which may or may not be viable options in specific situations. “Breaking encryption” is exceedingly difficult, and those recent “D-Wave” papers by the Chinese government showed that, even with quantum computers, they were only able to have minimal success with breaking RSA that’s equivalent to about 1024-bit. 1024-bit has been deprecated for over a decade, lol.
Now, I will tell you, if things get more orwellian than they are now, these people who advocate certain privacy tools might face unforeseen legal consequences. Certain governments are already mulling over the idea of outlawing encryption for citizens. Or at the very least, it’ll be some half-ass encryption like WhatsApp or Telegram. Where your data is technically “encrypted” but they have copies of your keys.
WhatsApp is black box software by Meta. If I can’t see “under the hood,” how can I or anyone else trust it? There’s a reason why Signal is earning people’s praises. When the feds call them up for information, you know what they get…unix timestamps. That’s it.
Now I have very little doubt Facebook is giving WhatsApp data away to random people, I think. I also doubt they dish out malicious binaries on App stores. None of that is the issue. The issue is a corporation that’s basically the real life equivalent to Mr Robot’s E. Corp cooperating with the feds.
Fair point, but I only mentioned China because they were the ones that wrote that recent D-Wave paper about breaking RSA. Whether or not EU and USA feds have better/worse ways of attacking encryption idk. Likely not, backdoors like TPM is still the most common way to get past encryption. Or if you use something like bitlocker or firevault and Microsoft/Apple gets copies of your keys as backups. I think this is optional, but I haven’t used either in so long I can’t honestly remember.
As for the Chinese government and their regulations about encryption use among it’s citizenry I’m clueless. I would imagine though it’s less democratic than EU or USA. But really data collection in general is horrible pretty much everywhere. Even in America. Warrantless surveillance is a real thing. And to make matters worse, I know very REAL personal examples of this loophole being used to surveil people for things not related to terrorism (which is allegedly the only legal means to do this). The only thing that really prevents us from being an “open book” is encryption, even in the democratic west.
I’ll give it a read, but I would like to say my statement was poorly worded as I wasn’t really criticizing WhatsApp’s encryption protocols. By “half-ass” I meant in how they handle your data compared to some of their counterparts. Looking to Telegram as another poor example, ever since the CEO’s arrest they changed their ToS and now directly admit that they will cooperate with authorities if they want someone’s number or IP address. There’s absolutely no reason to think Meta wouldn’t do them same. Probably put up less resistance actually (Durov actually had to get arrested first. No one at Meta is going to jail for you, lol. Especially when Snowden leaked that Facebook is partners with the NSA). Signal is really the spearhead others should be modeling their messaging apps around. No one, including them, has access to your encrypted messages.
Ah fellow human brother/sister don’t you know what world we live in? We live in a money first world. Bazzell and others need to make content to sell their products.
Why else does most people do what they do?
Like Arnold Schwarzenegger said in a recent tim ferris podcast, sell sell sell!
Have a great day.
FUD is used to sound cool on chat forums, but when you make a claim, maybe backup with actual facts than fantasy T.V. Series like Mr. Robot? Because audit reports don’t backup your claim of whatsapp’s encryption being half-assed.
WhatsApp’s encryption, and exception to those encryption has been out in open for a while i.e. person-to-person chats are encrypted, chats with businesses are not encrypted, when someone reports your message, it gets reported in plaintext (iirc), etc. Comparing WA to Signal/SimpleX is a whole other debate on feature integration or lack thereof for security/privacy.
I already addressed with @Anon47486929. Yes I agree there’s nothing inherently wrong with their encryption, But that wasn’t really the point I was trying to convey anyways.
There is no reason to compare WA to Signal/SimpleX (or Session for that matter) because they are clearly superior in all respects related to your privacy. The only time to use WA is in situations when you don’t care about Meta having access to your data (and possibly law enforcement too).
There is, for the very basic reason that different people have different needs, and different threat models for their privacy. Comparison is “a good way” to educate people en masse about the features and the cost that they come with.
The only time to use WA is in situations when you don’t care about Meta having access to your data (and possibly law enforcement too).
Again with the dramatic renditions of blanket statements which undermines everything about having a guide for getting more private in our digital presence. Statements like “big brother is watching / privacy is dead / blah blah blah” don’t add anything constructive to the discussion, and imho are more likely to send people into privacy burnouts because well, FUD does that to people!
Okay, so in your view, what constitutes as a threat model where WA is a suitable choice but something like Signal would be “overkill?” Because the way I see it, WA is suitable only for people who have no threat model at all. And even then, when you think about programs like PRISM or other classified data collection operations that passively collects essentially EVERYONE’S data even people with no threat model aren’t really safe (Meta is partners with NSA).
I guess we’re at the point of agree to disagree haha. I don’t really want to hijack OP’s thread anymore than it already is. All I can say is we must have very different definitions of FUD. To me, FUD is when someone spreads unverified claims or potentially even misinformation. Allow me to be VERY clear about one thing. If you use WA, Meta WILL have access to your communications, and by extension, anyone collaborating with Meta WILL also have access to your communications, and that includes the authorities. In my opinion, there’s no reason to care about privacy if you don’t account for “big brother.”
This is true. I guess another way of wording it is everybody has the basic threat model of the government. And those stakes only rise exponentially when we start including people living in oppressive regimes. And in those situations, your data isn’t the only thing at risk anymore, it could be your life as well. There is no room for error in those scenarios.
Because it just sets a very low bar to be beaten. It’s better than SMS or SMTP. That’s about it, and those are very low bars indeed. Literally any other encrypted messaging app (barring Telegram…maybe) is better.
I’m saying Meta has been verified partners of the NSA. They’re code is proprietary, and their track record with handling user data is very poor. If the right type of adversary is interested you, you shouldn’t be using WA. And that includes basically anything beyond basic threat models. And I’m skeptical with even basic threat models considering some of these classified programs (PRISM is an example of something we only know about because of Snowden. There’s more programs we aren’t aware of yet). I mean, if all you’re doing is chatting with old high-school buddies or whatever (basically the tom, dick, harry analogy) it’s probably not the end of the world. No one is going to come knocking on your door because of that.
It all comes down to : because Facebook (or Meta).
It’s the same argument as “because Microsoft.” Or because “Google.”
Some might call that fear mongering or FUD, but some lost trust in those companies for very valid reasons.
Back on topic, I’d like to reiterate OP’s question. If you reveal one app, there isn’t any risks, but if you reveal all the apps you use, wouldn’t be really easy to trace back to you as an individual?
I know it doesn’t work like browser fingerprinting (extensions you use for instance), but wouldn’t there be a similar risk?