The challenges of locking down my cyber-life

In January 2019, I wrote a post (which see for further links) I have shared often since about how I intended to “lock down my cyber-life.” That was six months ago. I made lots of progress, but it seems I’m far from finished, too.

In that post, I explained three problems about computer technology (viz., they put at risk our security, free speech, and privacy). I resolved to solve these problems, at least in my own case, by executing a lengthy to do list involving such things as adopting a better method of managing my passwords and quitting social media.

So the problem is that I didn’t quite finish the job. Finishing the job, as it turns out, is kind of difficult. There’s always a little more that can be done. Simple-sounding tasks, like switching browsers, can have aspects that one just never get around to. So in the following, I’m going to discuss the things I haven’t actually done. Perhaps in a later post I’ll make a to do list that you can use. But first I need to just talk things through.

1. Stop using Chrome. Well, of course, I did stop; that was easy. I’m not sure when the last time I opened Chrome was. I switched to 95% Brave, but also 5% Firefox for those times when Brave seems to have a weird Javascript issue (what’s up with that, Brendan Eich?). But I still have so many questions:
   • What do all of these different features of Brave do, really?
   • Do they really work? Are they adequate? Are there other plugins I should be using on top of what is built into Brave?
   • When I don’t want a website to be able to infer who I am, must I use the Tor feature? Does browsing “Privately” help at all? (It deletes cookies, OK, but…)
   • What should my cookie strategy be? Should I generally browse with cookies off?
   • What are best practices for browsing generally? I remember reading a bunch of things in The Art of Invisibility that I thought were good ideas but which I don’t think I ever implemented.
2. Stop using Google Search. I use DuckDuckGo about 90% of the time, StartPage (which uses Google results) for the 10% when I think Google might have better results (which it does maybe 20% of the time, to be honest—that’s when I’m dissatisfied with what I get from DDG). Sadly, I do rarely use Google News when I need to look more deeply through the news. So:
   • How do I comprehensively search recent news without using Google News? (I just haven’t investigated the question, that’s all. There are lots of apps, but are any really comprehensive while also respecting user privacy?)
3. Start using (better) password management software. Don’t let your browser store your passwords. And never use another social login again. So I’m doing pretty well here. I did stop using social logins many months ago and never looked back; if you’re already using a password manager, they aren’t an added convenience. The password manager I use is Enpass, which is easy to use and allows me to sync directly between my devices and my NAS, bypassing the cloud (unless you want to call my NAS a “private cloud”). My only misgiving is that Enpass is not open source, which means they could be sending copies of my passwords to their servers, and customers (who would otherwise be helped by the OSS community) wouldn’t be any the wiser. Now, I guess I trust Enpass, but I’m thinking:
   • Is there in 2019 a password manager that is (1) easy to use (has autofill capabilities in browsers, at least computer browsers), (2) open source, and (3) allows me to sync my passwords across iPhone and two Ubuntu computers (using WebDAV)? I haven’t taken the time to look into Bitwarden yet.
   • I have inadvertently saved a few passwords in my browser. Gotta delete them.
   • I am still using old, insecure passwords on many minor accounts I haven’t opened in years. I should at least do an audit of the most important accounts I haven’t touched in a while (that could pose a danger) and change those passwords.
   • I have to get my wife and younger son using password managers, both for their sake and because *ahem* it’s possible they could be a backdoor into my systems.
   • WebDav is a secure protocol, right?
4. Stop using gmail. Well, I’m mostly done with this; I pay for my own hosting, although the data itself is on somebody else’s server, and I use my own domain name (sanger.io). But I still have a Gmail account, and that simple fact is still bothering me. Part of the reason for this is that there are still some accounts I made that made use of my Gmail account, and I might lose control of them if I delete my address. The other problem is YouTube. In sum:
   • Is it adequately secure that I host my own email? I’ve protected my privacy against incursions by Gmail (as long as there isn’t a Gmail user in the thread…), but shouldn’t I be using a service that provides zero-knowledge encryption? That would be quite a bit more expensive, I think.
   • Again, I need to review all my old accounts for importance, and switch the email address and passwords from Gmail to my personal email address.
   • Probably, I should turn on a vacation message for a couple of months, just on general principles, before permanently deleting.
   • Wait, is it possible to delete my Gmail account without entirely removing my Google account? Oh good, yes it is.
   • I still haven’t downloaded and started separately maintaining my own address book (this is a huge oversight on my part). I think I should do that before deleting Gmail.
5. Stop using iCloud to sync your iPhone data with your desktop and laptop data; replace it with wi-fi sync. This is mostly done. I mean, I flipped some switches, but completely extricating yourself from iCloud if you’ve been actively using it isn’t simple. I went through a bunch of different menus on my phone. On the other hand, I think my son is still using my account’s free iCloud space on the MacBook I gave him (that was when I switched to Ubuntu). So I’m not sure.
   • Investigate thoroughly how to ensure that I’m no longer using iCloud and whether I really for any purpose must use it if I’m going to keep using my iPhone. Pretty sure I don’t.
   • Discuss with/negotiate with/frown sternly at son to determine whether he really needs to use iCloud. He likes the “find my iPhone” feature. Ugh.
6. Subscribe to a VPN. Done! But:
   • Look again into my choice of VPN now that I’ve been using it for a few months.
   • Should I not perhaps give myself another option? Other people switch between VPNs. I haven’t had a need to yet.
   • VPNs might protect you from being protected from unsophisticated identification tactics, but they don’t protect you from malicious/tracking cookies (see above), digital fingerprinting, or VPNs who lie and/or collude with governments or criminal organizations about whether they keep logs. What really is the best way?
7. Get identity theft protection. Done; this is one area where I have nothing further in mind to do.
8. Switch to Linux. Yeah, baby! Ubuntu installed on my desktop and laptop. Very happy with it. So much nicer in many ways than both Windows and Mac. Not looking back. I very much recommend it. But:
   • I’m not sure I’ve optimized my systems for security adequately. Need to do an audit.
   • First, I need to do research on what such an audit would look like. Maybe this, maybe more.
   • Ugh, if I’m going to do this right, I need to study Bash more so I can really understand networking (like iptables) better.
   • And then I need to study infosec properly. Something like this?
9. Quit social media, or at least nail down a sensible social media use policy. I quit and have nothing left to do (as far as I know) with Facebook, Instagram, Quora, and Medium (at least). This is still, however—it turns out—is a huge pain point for me. I’ll just dive into the individual issues:
   • I said I’d stay in touch with family and friends via a mailing list. I haven’t been doing that. I’m sorry. But there’s a huge difference between interacting randomly with people I know and pushing out my personal news to a bunch of people’s email inbox.
   • Hence I’m inclined to think I need to start interacting a lot more on some alternative social network. But none seem to be “happening” yet, although there are some. We’re getting there; we’re getting closer.
   • So maybe I should organized another strike or a mass try-out as I said. But ugh. Both of those are a lot of work and distract from other important priorities. I’m not trying to be a rabble-rouser except to solve my own problem here, honest.
   • YouTube is increasingly problematic. But I still use it. BitChute and others have some copies of videos I want to see, but definitely not all of it. Maybe I should use a proxy/republisher/search provider of some sort, but wouldn’t that still enable Google/YT to track me? Well, how would I use it without being tracked—like an anon account I use only behind Tor or something? Is that even feasible? Could I live without it? Should I? (I would be cutting myself off from a lot of stuff I want to keep up with. Are there other ways to keep up with it?)
   • Twitter: well, OK, just in the last few weeks I’ve started posting more randomly as I used to, not just in promotion of my blog and Everipedia and programming. Again, I’m sorry. I’ve been a bad boy. I think I should rein myself in. Right? No doubt. I should probably just re-read this. Maybe update it.
   • I gotta think about installing my very own Mastodon instance. It could get big. I have a friend (several friends) who could help. Hmm. This might be a good idea for me. My friends would join. Then I’d just have to get them to interact with me and each other there. Could work!
10. Stop using public cloud storage. This is 90% done! I installed a NAS, all my files are on it. But:
    • I need to do a proper sync with my desktop instead of accessing via the (convenient, but slow and not right for daily workstation use) browser and mobile apps. (You’d know what I meant if you had a NAS. This is a problem you want to have. You just want a NAS. You will thank me.)
11. Nail down a backup plan. I have a zero-knowledge encryption service…but in the cloud. So it’s done and I think it’s secure, but I’m not that happy about it. For backup, I’ll switch to another less centralized solution when I am convinced that one works properly with all the features I need; I’m pretty confident that none do yet, but there are plenty of people working on such.) Issues:
    • All righty then, how are those decentralized alternatives coming along?
    • Is zero-knowledge encryption backup really secure? Come on, really? And the service I’m using isn’t open source, is it? That sucks.
    • I haven’t organized my old backup files (which used to live on a large old external drive) and investigated them generally. I did back them up, right? Surely I did. Need to triple-check.
12. Take control of my contact and friend lists. Well, I don’t store my active contacts in iCloud, so that’s a start. The most up-to-date database is the one that is local to my iPhone. I really haven’t made much a start on this:
    • I don’t use my Gmail address book, but Google still has access to it, so that sucks. Really need to finally delete Gmail so I can delete those contacts. I feel like I’m letting my friends down by letting them keep that data.
    • Pretty sure Microsoft still has some contact data in the cloud as well. Looks like I’ll have to fire up the crappy old Windows partition, investigate, and nuke.
13. Stop using Google Calendar. So here is a way in which I am cooler than you. (There aren’t many ways, but this is one.) My calendar works via my NAS. I set it up using CalDAV, which frankly I wouldn’t have been able to do if I weren’t comfortable with rather geeky stuff. That isn’t to say you couldn’t engage your geeky friends or family members to set your NAS up with this functionality. I still use the Apple app but they don’t have my data; it updates directly with my NAS via CalDAV. I even gave an associate of mine an account for updating my calendar directly, something I wouldn’t feel so comfortable doing on gCal. Anyway, no adjustments needed at this time.
14. Study and make use of website/service/device privacy options. OK, so now this is a bit of a problem. I never really did this properly. I spent many hours, but I was haphazard and I left out a lot of important sites. Indeed there are some sites that perhaps I shouldn’t be using at all if I really want to be hardcore about privacy. Let me give a partial list, with notes:
    • Amazon: They’re pretty goddamn evil. They do store a hell of a lot of data about you. But I should check them out some more and make sure of my harsh judgment, because just getting rid of them would be pretty difficult. They’re so convenient. But the rest of the Internet is very big, you know. I could look stuff up on Amazon without logging in and not using cookies, and then buy elsewhere (e.g., books from Powell’s in Portland, or whatever).
    • Netflix: It (like Prime Video, which we ditched) is becoming more like TV used to be, as someone predicted not too long ago. As these services proliferate, you’ll have to subscribe to many if you want to have good access. Well, my family went without any access (just DVDs) for years. Didn’t do us harm. I know my wife wouldn’t complain, except insofar as the boys would complain. And is it really necessary to get rid of a big source of entertainment just to secure your privacy?
    • Expedia: Do they sell my travel data? Well…so should I buy direct from the airlines? Are they any better?
    • Etc. I need to go through assorted other apps I have installed and accounts I have opened, which I have ignored but which might find ways to track me, and which it might actually benefit me to uninstall/remove account. This could extend this to do list very long indeed.
15. Also study the security and privacy of other categories of data. I haven’t done this at all. Another long list, in each case asking: well, what are my risks to security and privacy, and how can I mitigate them?
    • banking data
    • medical data
    • automobile data
    • telephone/cell data
    • credit card (including shopping) data: Is it getting quite unreasonable to make a regular habit of buying gift cards and using them to avoid putting all that shopping data out there? Well folks, I’m not afraid to admit that I’m thinking: maybe.
16. Figure out how to change my passwords regularly, maybe. I’ve been thinking about this one and I’m fairly sure I’m not going to bother with most, but I do have more refined ideas about how to approach this. I think this is reasonable (comments welcome):
    • Make a list of unusually sensitive passwords. Not too many (maybe 5-10) or you won’t do the next step:
    • Change those ones quarterly.
17. Consider using PGP, the old encryption protocol (or an updated version, like GNU Privacy Guard) with work colleagues and family who are into it. I looked into this but never followed through. Won’t take long. Just need to take the time, and then start using it with those very few people who are geeky enough to use it as well.
18. Moar privacy thangs. None of these are done.
    • Buy a Purism Librem 5 phone. Just to support the cause. I might actually do this, but I’ve been waiting for more evidence that I’d actually, you know, want to use the damn thing. But I sometimes think I’m morally obligated to spend the money anyway, because the thing so badly needs to exist.
    • Physical security key. Maybe just for the laptop, when I’m traveling. I have one. I might get a different one (since this one was given to me, and so…). The biggest trouble is to pick one out and then learn how to use it.
    • Encrypt my drives. Is that even possible after I’ve started using them? No idea. Is it really worth it? Don’t know. Need to investigate.
    • Credit card use for shopping. I could buy some prepaid credit cards or gift cards; this is a Kevin Mitnick suggestion, which he goes into in great detail in The Art of Invisibility. I might not go into all of that as I am not a federal criminal. My wife, who is also not a federal criminal, might go in for this as she is soo private. “How private is she?” you ask. She’s so private, she would probably not want me to say that she’s very private. True!

What have I left out? A fair few of my readers know all this stuff better than I do. Can you answer my questions? Please do so below.