mjolnirr
New Member
Howdy y'all! Good morning. Happy mothafuckin SATURDAY!!
I wanted to write this up, because I am a strong believe in privacy, I have a very strong background in IT (specifically IT Security), and I know it seems like a TON of people just are unsure about how to gain privacy online and how to keep their lives and livelihoods safe from those fucking assholes that enforce the laws of the 100% unnecessary "War on Drugs." This post is meant to provide detailed information about privacy and the different entities that spy on us and why. The government portion is focused on the US as that is where I am, but it applies to most modern countries and many are FAR WORSE than the US in terms of digital privacy.
The recommendations are meant to be a guide to total internet hygiene and privacy. I think you'll find the tips extremely helpful, not only in regards to the allegedly grey-market stuff some of us on this forum may or may not partake in, but also just in general in life.
INTRO/BACKGROUND (or just skip down to the recommendations if you want, but there is good stuff in here!)
Privacy is of paramount importance for peeps like you and me, who allegedly do things online that some might consider to be "not good." In the modern age, ISPs track and log EVERY SINGLE THING you do online. They know what kind of porn you watch, they know what your hobbies and interests are, they know a good bit about the medical issues you face in life, medications you take, illegal drugs you use or are interested in, they know WAY more than I think they should. Which is why I am writing this guide to help us all out.
The length of time that this information is kept varies wildly. Federal laws actually dictate that ISPs must keep logs relevant to identity of the user for X number of days/months to ensure that if the government needs to subpoena or request logs, they are able to do so. There are laws requiring ISPs to keep logs in nearly every country, and some of the big ones are:
- USA: 90 days
- EU: 6 months
- China: 6 months
- India: "usually 3-6 months"
One thing to note is that those laws also vary by country as far as exactly what the ISP is required to log and how the ISP is required to work with Law Enforcement. Usually ISPs don't keep ALL logs for longer than necessary or gather more info than necessary, being those logs cost them money to collect and store. However, if you are doing anything sketchy, like torrenting, using TOR browser or one of its alternatives, There are tons of different laws that relate to the right to privacy and anonymity online, including, but not limited to: the National Security Act; Foreign Intelligence Surveillance Act; USA PATRIOT Act; Terrorist Surveillance Program; Electronic Communications Privacy Act. There is WAY too much for me to get into each one, nor do I really want to become a self-proclaimed lawyer of digital rights--there is just too much legal crap about each individual law. The point is that the US government, and most other governments, put into place whenever possible laws that invade our privacy as much as possible. If there isn't a law specifically prohibiting them from doing something, assume they are doing it...and even if there is, they might do it anyway (Snowden). They do every single thing within their power to track everything we do online, all in the name of protecting national security and many other excuses.
I'm not trying to make this a political discussion and will request that people refrain from making political comments, the next two statements are simply factual events that occurred and I am calling out the party responsible: we could have had more rights, but this happened instead. Unfortunately, it is way too fucking difficult to get our rights to privacy expanded. In fact, in the US there was an attempt last year to expand privacy to protect American's internet browsing and search histories from federal surveillance, but it failed by ONE fucking vote because of the Republican party basically said they will no longer support this bill because Trump switched his opinion and no longer liked it, bitching about it in tweets repeatedly. More detail about how the Republicans refused to let us have more privacy rights: "At the request of the Speaker of the House, I am withdrawing consideration of the FISA Act. The two-thirds of the Republican Party that voted for this bill in March have indicated they are going to vote against it now," Hoyer, D-Md., said in a statement."
Republicans have also introduced multiple bills trying to entirely ban the use of encryption or provide the government backdoors to decrypt ALL encryption technologies, all in the name of "national security" as they often do, and the constantly-used excuse that it is just to prevent inappropriate child-materials from circulating the internet. I absolutely 100% support catching and imprisoning people who consume inappropriate child materials, that is disgusting and they should be prosecuted HARD, but I am vehemently opposed to invading and destroying the privacy rights of every person in America in the process of doing so.
Related side track: This is an AMAZING resource that is quick and easy to read about what exactly the government can request with and without a warrant.
So, we have covered ISPs to some degree as well as Government Agencies/Entities. We have scratched the surface on the fight for digital privacy and those who fight against it. As though these things aren't bad enough, add in the fact that data mining and tracking is BIG BIG BIG business. Like, fucking huge. In 2019 it was a $125.18 BILLION dollar business in the United States ALONE. That is expected to increase to $152.97 BILLION by 2024, again that is just in the US. Advertising is literally the backbone of these companies and it is built off of YOUR and MY private, personal data. Two of the biggest are:
- Facebook: 97.9% of revenue comes from advertising
- Google: 70.7% of revenue comes from advertising
For example, Facebook track every site you visit that it possibly can, even outside of Facebook itself. They do this by using cookies to track your non-facebook activity on any site that has facebook extension features. You know the little facebook/twitter/pinterest/whatever extension where you can click on it to like something right from that page? Like this:
View attachment 142942
Or this: View attachment 142943
Or ones that have the "login with facebook/google/apple" SSO feature? All the sites with those social SSO extensions feed info back to facebook, sharing exactly what you visited in that site, exactly what you did on the site and when you did it, even potentially how long you visited specific pages/looked at specific images. Another important thing is that these companies share data in both directions (often accompanied with a financial transaction), any website that uses the facebook feature sends into back to facebook, but facebook can also share info with them. This means these random third party websites can often see things like your full name, gender, email address, phone number, relationship status, and more. Basically anything you put on that god forsaken social media site can and will be shared with anybody they possibly can--for the right price!!! $$$$ The same goes for all these other sites.
Article: Think twice before using facebook, google, or apple to sign in everywhere.
Tracking data is BIG MONEY. That is the primary motivator for all these private companies I mentioned. They actually build massive virtual profiles of each individual that uses their services. As I said at the beginning, they know what your hobbies and interests are, they know where you live, where you sleep, your favorite restaurants, your sexual preferences/habits, and more. They aggregate all this information at any change they get. These companies sell this data to one another to expand their data sets and compile even more information. Their main motivator: advertising. Ads that are targeted to you based off your interests are more likely to be clicked on (though I personally truly do not understand who the fuck clicks on an ad). Even if I see an ad I like (which almost never happens) I will just open a new tab and search for that product. I actively go out of my way to ensure they make as little money off of me as possible.
Article: Google is giving data to police based off search keywords
So does that mean google will give police info of what keywords you searched for? Yeah! That is not even in question. This is actually much worse. What this means is that the five-O say "Hey google, give me the name, address, telephone number, Social Security numbers and IP addresses related to every person who searched for <insert search term here>." This means even if you aren't under investigation, you could get eyes on you and potentially be investigated because you searched for a certain term using google when you were logged in and not using VPN and not using a private browser, so they could tell who you are. This is why using good OPSEC protocols (operational security) and a paid VPN that doesn't keep any logs is SO important!
There are many instances
Alright, so we have covered the following:
1. ISPs track you and will sometimes track you extra if there is suspicious traffic coming from your computer/network. This could be TOR browser, torrenting, scanning other networks or doing anything that looks like it could be malicious, etc.
2. The government tracks the hell out of you at every possible opportunity, some legal...some not...this is through your PC, your phone, your smart appliances and your google home/alexa, your "smart" car. The more technology you're surrounded by, the less privacy you have. Personally, I won't ever buy a car newer than 2012 or 2013, because I refuse to take part in this smart bullshit. It is a safety risk as well as a privacy risk.
3. Private Companies track you like crazy as far and wide as possible, exchange and sell your data between dozens of different business entities, all in the name of profit at the expense of your privacy.
RECOMMENDATIONS:
You can mitigate these issues and maintain anonymity and privacy online--it actually isn't that hard if you are smart and careful. All it takes is a few privacy programs and features, some knowledge and understanding, and good privacy/OPSEC hygiene and habits to make it happen. This is not a fully exhaustive list, but if you did everything on here you are going to be in very good shape. After reading through and implementing these things, searching DuckDuckGo for more information about privacy settings and how to be private/anonymous online would be a great thing to do.
So here is the list, go!
1. First thing's first, use a good, PAID VPN that does not keep logs. The following are considered the best VPNs.
- ExpressVPN - there is a real-world case where one of their servers was seized by law enforcement and turned up ZERO information, which verifies that they really do not keep any logs. They also have a third-party audit verifying that they do not keep logs. This is the number 1 choice for VPNs IMO.
- Perfect Privacy - there may be a real-world case here too. Perfect Privacy announced that Dutch authorities had seized two of their servers as part of an investigation and said nothing was turned up as they don't keep logs. They didn't say why the servers were seized though, so it's possible that they weren't looking for customer connection logs anyway...we aren't really sure.
- VyprVPN - third-party audited to verify no logs are kept at all
- NordVPN - has an audit verifying they don't keep logs, however this was an internal audit, so it is possible it's not true, though we have NO reason to believe that is the case.
- PureVPN was proven by an FBI case that THEY DO FUCKING KEEP LOGS. They are fucking LIARS and if you use PureVPN you should cancel your account immediately and switch to one of the other 3 above. Since then they have said they've updated their policy and no longer keep logs, but I wouldn't trust them ever again, not after someone go arrested (not saying they didn't deserve it, but the principals of the PureVPN as a company are obviously bullshit.
- ^^ Personally I would use ExpressVPN, VyprVPN, and would also be comfortable using Perfect Privacy or NordVPN, myself. DO NOT use free VPNs!! ^^
2. If you use chrome, make sure you're not logged in to chrome itself, that will allow google to see every single site you visit and what you do ALL THE TIME. Does your chrome browser look like this? Because it should! DO NOT log in to the browser itself!!
View attachment 142944
3a. Best practice, use VirtualBox and build out a privacy virtual machine (VM) using Tails (preferable) or linux (acceptable) to use for anything related to "shopping" or other allegedly not-so-legal activities. Use a VPN on your host machine, then also install another VPN from a different provider on your VM, then use TOR from your privacy VM and also have your crypto wallet and all your PGP keys and utilities installed there too. This is the machine you will actually DO stuff from.
3b. Always use a different, privacy based browser for all grey-area activity--or just ALL activity, like I usually do. Technically 3a is probably overkill for just ordering some gear over anonymous email. However, it can be good to be on the safe side. Regardless, for just browsing activity things like forums about steroids, drugs, etc. I prefer DuckDuckGo browser and search engine and obviously always be connected to VPN. There's no reason not to use DuckDuckGo browser. At minimum, if you are against DuckDuckGo you should ALWAYS use a private browsing session before you navigate to any of these sorts of sites, and use DuckDuckGo search engine. Important note: if you are connected to a VPN, but then you are logged in to Amazon or Facebook or something from the same device, then investigators could easily aggregate those logs and determine that you were connected to that VPN server at a specific time. This is why it is so important to log out of other web apps and close out unnecessary windows when doing anything potentially shady.
4. Use an anonymous email provider, such as ProtonMail, Tutanota, SecureEmail. There are some others, but those are the big names.
5. Make sure to ENCRYPT your messages especially if they contain sensitive information!! Learn how to use PGP. I know some of these services say "automatic encryption" but you can't trust it. First, often a password must be agreed upon for that to work, and most people don't actually use it. So the email just ends up being unencrypted. Your best bet is to get the PGP key for the other party and manually encrypt your message using their key. Then send them your key so they can encrypt messages back to you using your own key, and you can decrypt and read them. Even better, learn how to use signed messages, so you can verify who you're talking to. Search DuckDuckGo for how to do this, it really isn't that hard. I just use bash command line for this stuff, but for Windows the best app is probably Kleopatra.
6. Next, go through any accounts you have, google, yahoo, facebook, twitter, linkedin, insta, whatever, and manually change all the privacy settings to minimize the amount of tracking they do on your account. This won't STOP it entirely, but it will limit it. Also, do a quick search to find whether it is possible to request they delete all your data. For example, for Google and Facebook, they will track your location history and keep it forever. They'll have every GPS coordinate you've been to for the last X years, BUT you can request they delete all your location history, etc., then turn off the setting so they stop gathering this in the future. Some people don't care about it and like being able to see where they've been, but personally, I don't have any fucking desire for google or facebook or ANYONE ELSE other than me to know where I have been, they can suck a big fat dick instead.
6a. Also, note that companies UPDATE these settings and options on occasion!! So it is important to go back and review them maybe once or twice per year. I just went back to facebook and found they added a bunch more settings and guess what, they defaulted to be ON!! So I had to go turn that shit off.
6b. NEVER use the "login with facebook/google/apple" features. If you struggle to remember passwords (and even if you don't), download a good, free app like PasswordSafe or KeePass and use a super strong password for it. A good example of a password is: "I won't 3ver forg3t!!This PASSwerd-because it is SO EASY TO remember$4$4" Using long phrases like that with some l337 and special chars here and there is the best way to go. Phrases are easy to remember and that is so long that it would take decades to brute force it with todays technology.
7. I swear, please do not be one of the idiots that doesn't update your profile settings on your social media sites! By default, they make almost EVERYTHING public and collect ALL the data they can. Your photos, your posts, the things you like, what school you went to, sometimes even your email address and birthday!! CHANGE YOUR FUCKING SETTINGS!! It only takes 10 mins or so to fix all this stuff and make it so that only your friends can see it. If you have had these settings on for the last several years, you can request to download your data from sites like Facebook and Google--that will give you a nice idea of just how much these companies track. Then make sure you request to delete it all
7a. For privacy settings, set everything possible to either "Only Me" or "Friends" - don't even do "Friends of Friends" because SO many people just add anyone that sends them a friend requests, this is how the fucking Russians and Chinese and African hackers social engineer people so easily, it's because they friend them on Facebook/LinkedIn and then they learn ALL this info about them and are able to fuck them over. Just make your profile more private. Turn off fucking face recognition too!
8. On the topic of facial recognition, I will also mention that fucking evil companies like Clearview AI literally scrape social media websites (even though it's against their terms of service) to steal pictures of you to plug into their facial recognition algorithm, which they then share with law enforcement!! This is part of why #5 is fucking CRITICAL!!! Make your photos private, for the love of god!! There have been people who have been wrongfully arrested because of Clearview AI! As of last February, they had 3 BILLION pictures in its database and law enforcement have been able to get a warrant for an arrest solely based on a facial recognition match. Honestly, the CEO is a piece of shit who is selling his tech to several countries with track records of human rights violations. it seems their tech is pretty fucking shitty, some of the matches it provides are just blatantly wrong, which as we saw above has led to wrongful arrests and innocent people spending time in jail The less it has on you, the better. This is just one more reason why it is SO FUCKING IMPORTANT to make your shit PRIVATE!!! A couple bills have been introduced a few bills to try to protect people from facial recognition in the hands of law enforcement, but they haven't gone anywhere.
9. From the mobile side: at minimum, take the 20ish minutes to tweak the shit out of your phone settings for maximum privacy. Just use DuckDuckGo to search for "Android/iOS version <X> privacy settings guide" (your version) or something similar. Then follow the advice to ensure your phone is setup for maximum privacy. Personally, I would also recommend uninstalling any apps that track you when you're not actively using them. This includes Facebook app and Facebook messenger, TikTok is one of the absolute worst, Instagram and LinkedIn (both owned by Facebook), Twitter, and more. First off, do these sites really improve your quality of life? Are these services REALLY worth spending your time and life using? Is there nothing better you could do with your time?
9a. Make sure to turn off your location when you're not actively using maps and your wi-fi when you're not at home. Also make use of airplane mode whenever you can! This will prevent your location from being tracked. Use a VPN on your phone, too. Google has a literal map of ALL the different wi-fi networks in the entire country. It can determine your location simply based off of what wi-fi networks your phone can see when wi-fi is on. Turning it off stops this scanning from taking effect and makes it harder for companies to track you.
9b. Check out privacy extensions and apps such as: uMatrix, HTTPS Everywhere, NoScript, AdBlock Plus for browsers. Check out Photo EXIF Editor to remove personally identifiable information from photos before you post them online (you wouldn't believe how revealing photo metadata is, this lets you clear it all out so it is literally just a photo with a filename). Check out FreeOTP instead of Google Authenticator, as Google Auth isn't open source and we don't know what they can see in the app. Check out apps like AccessDots to be alerted when an app is accessing your microphone or camera.
10. Lastly, remember that BITCOIN ISN'T FUCKING PRIVATE!! The government can track and trace bitcoin transactions, as well as many other cryptocurrencies. You need to use something like Monero instead and it's best to get it through an anonymous method like localexchange or some other service where you don't need to provide any personal information to sign up and use it.
Turn it up to 11: If you want to go ALL OUT and turn that privacy/anonymity dial up to 11, instead of following 3a, search DuckDuckGo for darknet privacy guides, they are much more extreme in some places than this. The main difference will be the recommendation not to use a VM anymore, but instead having a burner laptop with Tails installed isn't hard, and is the best level of privacy and anonymity you can attain so long as you do it right. Probably overkill for what we do, but some people want the peace of mind. Then worst case scenario you can just smash the hard drive and literally destroy any evidence.
I know it's a lot, I started this yesterday morning and am just now finishing...spent way more time than I originally thought I would on it (which really shouldn't surprise me, y'all know I write a lot). Hopefully this is helpful for people!
@MFAAS you are truly the MVP. Can't wait for more In-Depth posts from you.
Meanwhile, I'm just starting to get my head around some of the stuff here. In regards to point 3a on using a VM / Virtualbox. Can you please eloborate on how this increases security / anonymity when it is still within your primary computer? If your primary computer is comprimised, what is the mechanics / technology that will still keep your VirtualBox safe? Is it the extra layer of password / encryption to get access to that VM? Or is it more so that using the VM will decrease the chance of your primary computer getting compromised in the first place? Probably a stupid question... but here i am.