Why did Michael Bazzell, a credible privacy expert, say that buying a smartphone from an online marketplace is bad?

If the government checks my online marketplace account, like Amazon, and sees that I bought a Pixel phone, wouldn’t they already know that if they seized my smartphone? Is the concern primarily about the time before the seizure? When the government investigates and asks Amazon for access to my account, they can see that I bought a Pixel phone, but even if they know I purchased a Pixel phone, they wouldn’t be able to identify the specific Pixel phone I have from that information alone. Am I right or wrong? my threat model is the government, thanks.

The phone you ordered could be tampered with before it got to you - that’s my best guess. And that will likely only harm you.

You may think it’s a new phone but they may have a backdoor to everything you do on it no matter what.

2 Likes

Yes, the concern is identifying you prior to the seizure. Whether that’s getting included in a geofence warrant, or being tracked via bluetooth/nfc. Phones are highly connective devices after all. The main drawback between shopping online and paying cash in person is it’s much easier to track online sales than cash purchases.

Again here like with most issues this comes down to IMEI. The IMEI of the phone will be tight to your name when you buy a phone with traceable money.

When the government investigates and asks Amazon for access to my account, they can see that I bought a Pixel phone, but even if they know I purchased a Pixel phone, they wouldn’t be able to identify the specific Pixel phone I have from that information alone. Am I right or wrong?

Without more transparency, I don’t think this is 100% knowable.

Why did Michael Bazzell, a credible privacy expert, say that buying a smartphone from an online marketplace is bad?

Michael Bazzell often implicitly or explicitly assumes a higher than average threat model. If your threat model credibly includes the possibility of being actively targeted/surveilled by a government, or highly motivated LEO, or live in one of hte many countries with a bias towards ‘national security’ over civil rights and due process, then it definitely seems there are some potential risks with purchasing a device online:

  1. Targeted interception / supply chain attack
  2. Paper trail that seems like it could at least potentially link you, your name, and your mailing address, to that specific device.
3 Likes

The IMEI of the phone will be tight to your name when you buy a phone with traceable money.

I have been trying (without much luck) to find some authoritative information about this. Do you happen to have any? (That is a real question - I am not trying to be snarky.)

What I’ve found so far in my search suggests to me that:

  • Most countries don’t have an official (or at least officially acknowledged- who knows what the secret police get up to, of course) central database mapping IMEI to phone owner which phone vendors are obliged to report sales to. There is often a central database of IMEIs reported lost or stolen, and I’d guess that includes identity information of the original owners who are naturally interested in being contacted if their device is recovered. I saw a vague mention that India might have introduced a central database of all IMEIs, but I didn’t look into this in detail.

  • If a phone is used with a KYC-ed SIM, it is trivial for the mobile operators to correlate the identity on the KYC-ed SIM with the phone IMEI. So “most” phone IMEIs will effectively be linked to a real identity in this way.

  • For their own protection, businesses selling phones (new or secondhand) are likely to record the IMEI along with the customer ID in their own databases even if they aren’t legally compelled to. For example, they will want to make sure any customer returns or warranty claims are returning the device they actually sold to the customer. But it isn’t clear to me that they share this information with a central authority. They may sell it on to data brokers, although in countries with laws like GDPR this information may have some legal protection as personally identifiable information.

  • I infer that if you use a phone purchased with traceable money but a KYC-free SIM (e.g. a pre-paid cash SIM), law enforcement or other sufficiently motivated adversaries could almost certainly track you down given the IMEI (by asking at each stage along the phone’s ownership history “who did you sell this phone to?”, or short-circuiting that by asking mobile networks for the probably KYC-ed SIMs used with the phone), but if you’re mainly interested in avoiding commercial surveillance and your life isn’t at risk, it might be possible to maintain a degree of pseudonymity with a phone bought with traceable money.

  • As others have pointed out, I suspect Michael Bazzell’s emphasis on high threat situations means that buying a phone with traceable money is right out, but I don’t think that means it is automatically a terrible idea for those of us with less demanding threat models.

I’m happy to be corrected on any of this, if anyone has reliable facts!

2 Likes

Because he’s actually a huge grifter. His recommendations don’t go with a threat model its just sort of vibes-based.

3 Likes

Simple answer: at many webshops the IMEI is litterly on your invoice. And yes shops register the phones they sell for warenty etc.

That’s fair enough, and I agree with you. Do you happen to know anything about the extent to which these records are shared (under legal obligation or for profit)?

I am afraid i have no insights om that.

In his podcast I heard about used phones being a potential source of problem. Say the previous owner is the worst kind of criminal: when you turn on the phone and use it, unwarranted eyes of the investigation agencies will be set upon you. I guess there is no way to tell if the previous owner can be a source of surveillance problems for you.

It pains me to say it but I believed him hook line and sinker a bit back then. I lost a bit of interest in his OsInt rants because those doesnt apply to me. Having threat models made things more sane. Going back, I probably shouldnt have cut my old life contacts needlessly…

1 Like

Yeah, wasn’t he recommending Pop!OS for his “high threat model”? (Which doesn’t even have https for their apt repository? [https://apt.pop-os.org/])

So many “interesting” influencers in the space I swear. A good rule of thumb is: If they are trying to sell you a course, probably steer clear.

2 Likes

apt checks packages’ integrity via gpg. That’s why repos usually don’t bother with https. gpg package verification already provides most of the security you want from https.

Transport integrity and availability is the issue, not package integrity. Using http means anyone can easily deny package manager updates without the system administrator knowing about it through MitM attacks.

Thus updates are delayed and window for exploitation is longer unless someone is constantly monitoring their repos for updates. HTTPS support is trivial to do, and not having it in 2024 is ridiculous, especially with defense in depth and all that talk of making secure Linux.

Here’s a direct quote from his most recent Extreme Privacy: Mobile Devices e-book.

I never purchase devices online because there is an immediate permanent digital trail. Even if I used an alias name for the transaction, the device was delivered somewhere and purchased with a credit or debit card which is attached to a bank account. The seller has documentation of unique identifiers for the device. All of this can be tracked. Cash at a BestBuy or other store is much more private. Fortunately, the devices we will be using are plentiful in retail locations.

If your privacy goal is hiding from the government, you’ll likely be one of the few people who actually needs to take “extreme” privacy measures. Devices and SIMs purchased in cash, mobile services set up with alias names/IDs, faraday bags, decoy phones, etc. Government authorities can identify what the make/model of a phone is through IEMI number, which is transmitted every time your phone broadcasts to a cell tower. They can also identify the service provider which is how they figure out who the owner of the phone is. However, if your service is registered in an alias name, and you regularly store the phone in a faraday to obfuscate tower data, it would be harder for the government to track you.

That’s a good standard to have.

The best influencer and content creator that I found is The Hated One:

  1. No sponsorships.
  2. No affiliates.
  3. Has nothing to sell to you, apart from his Patreon, which is his main source of income.
  4. The descriptions and comments of his videos are always filled with sources.
  5. The guy actually goes and reads through all the sources, papers, and documents, the amount of research that he does is insane.
1 Like

I think they do that stuff only for terrorists, right? They literally need to know in real time that I ordered a phone in that particular online marketplace, and they need to contact the seller and wrap that new phone with some spy program. This reminds me of when Mossad recently did this with Hamas—totally insane!

How? The seller doesn’t record the IMEI of the phone, nor does the online marketplace. So even if the government asks the seller or checks my personal account on that online marketplace, they can see that I bought a Pixel phone, but they can’t see the IMEI associated with it.

PS: Ok now I know they likely do that.

Likely yes. But it could also be for anyone the government deems “dangerous” - and that sometimes includes journalists.

This is why I’m asking you guys.