This is half a decade old news, but I only found this out myself after it accidentally came up in conversation at the DMV. The worker would not have informed me if it hadn't come into conversation. Every DMV photo in the United States is being used for AI facial recognition, and nobody has talked about it for years. This is especially concerning given that citizens are recently being required to update their ID to a "Real ID," which means more people than ever before are giving away the rights to their own face.

The biggest problem with privacy issues is that people talk about it for a while, but more often than not nothing ever happens to fix the problem, it simply gets forgotten. For example, in the next few years Copilot will simply become a part of people's lives, and people will slowly stop talking about the privacy implications. What can we even do to fight the privacy practices of giants?

In an effort to increase my privacy, I decided to buy a Pixel phone second hand to use with GrapheneOS. Due to some miscommunications, the phone ended up being carrier locked with T-Mobile. GrapheneOS's own website advises against buying carrier locked phones in order to avoid the hassle of carrier unlocking it.

I assumed that even if the support staff was unaware about OEM unlocking, I would at least be able to fairly effortlessly get the device carrier unlocked because it was bought second hand. My first call was to the T-Mobile support center, and the representative wanted the phone number of the device in order to unlock it. The device had no phone number, so we instead tried the IMEI. I was told that the IMEI was invalid because it was not the correct number of characters, and was told that there was nothing they could do without physical access to the device. As expected, the representative had never heard of OEM unlocking.

My next stop was at a T-Mobile store, to seek help there. The staff member there was very helpful and, despite not knowing what OEM unlocking was, was very aware of how to handle the situation regardless. He made a call to T-Mobile support (which has a different process if you are a staff member) and explained the situation to them.

Here is where things get interesting: T-Mobile had the ability to carrier unlock the phone, and had enough information to prove the device was mine, but refused to carrier unlock it because it has to be done by the original account holder. They wouldn't give any information about how to contact the original account holder, which is reasonable.

The in-person representative told me that if I was able to find a phone number linked with the original account holder that they would be able to do more, but after trying for over an hour to find any contact information with the seller, I couldn't find anything.

The in-person representative decided to try calling support one more time, and even went out of his way to try lying to the support team on my behalf, just to see what could be done.

After hanging up the phone, he told me that T-Mobile gave me 2 options:

1. Return the device entirely and buy a different one
2. Pay for T-Mobile for an entire year AND pay a $100 service fee

That's like telling someone they have to pay a year of rent before they can even step foot in a house they already paid for, and then pay $100 to get the doors unlocked. I knew it would be a bit of a process to get it carrier unlocked, but I didn't realize it would take me four hours to be told I had to pay T-Mobile for a year to be able to access a device I paid for.

I even tried using T-Mobile's own app to unlock the device, but the app is not functional as many reviewers have also noted.

Thankfully the seller accepted free returns, so the story has a happy ending, but any consideration of buying a carrier locked phone before has since evaporated.

It is truly dystopian how we live in a world where companies are allowed to get away with stuff like that, and yet people still give away their money and freedom to these companies.

Having used iOS my entire life, the switch to GrapheneOS will be a big change. I have learned over the past year about Android, GrapheneOS, and apps to use. I managed to find most of the apps I was looking for, but there are some I struggled with. I had trouble finding privacy respecting, open source apps for the following categories (I've listed what apps I did find, but want to see if there are better alternatives.)

• Local AI: For AI I was able to find MLC LLM, but the iOS version is a bit broken so I'm unable to confirm if it's what I'm looking for. I want something capable of running Llama 3. This was by far the hardest category to find an app for.

• Backup: I found Neo Backup and Seedvault. I want to be able to backup files, photos, app data, etc.

• IDE: I was only able to find Neovim (which I'm not even sure is an IDE). I primarily code with Python (but also code in Java as well as others), and I want to be able to run quick scripts when I'm out and about.

• Torrent: While torrenting on a phone isn't necessary, it has certain scenarios when it's useful. If this is a major hole in privacy and security, I don't mind leaving this off my list. I found LibreTorrent as an option.

• Local file sharing: This is one I'm most curious about. I want a way to share files between my Linux computer and phone. LocalSend and Warpinator seem to be tied as far as popularity, maybe I can get some insight here. I want it to be strictly over the local network.

• Network monitoring: This is nice to have for a variety of reasons. I want something like Wireshark for Android. I couldn't find many great options, but I found Vernet.

• eBook reader: I'm sure the option I picked here is fine, but I wanted a second opinion about Libera Reader.

• Terminal: I've heard a lot of different opinions for terminal emulators for Android, so please put up a good case for whichever one I should go with. Neovim is apparently (technically?) a terminal emulator. I'm increasingly confused about what Neovim actually is. I also found Termux and I eventually found too many options to find a clear choice.

• Movies: Because many movie streaming services are privacy invasive, I'm looking for an ethical way to watch movies. I found Stremio which I have never heard of before. This isn't a topic that gets covered very often.

I am aware of AlternativeTo, and it's what I used to find some of these trickier apps, but nothing beats hearing first hand experiences. Thank you all for your help!

Inspired by this post, I decided to see if I could identify any single points of failure in my own setup.

Prerequisites

There are two notable systems that should be mentioned:

The 3-2-1 rule

The 3-2-1 rule can aid in the backup process. It states that there should be at least 3 copies of the data, stored on 2 different types of storage media, and one copy should be kept offsite, in a remote location (this can include cloud storage). 2 or more different media should be used to eliminate data loss due to similar reasons (for example, optical discs may tolerate being underwater while LTO tapes may not, and SSDs cannot fail due to head crashes or damaged spindle motors since they do not have any moving parts, unlike hard drives). An offsite copy protects against fire, theft of physical media (such as tapes or discs) and natural disasters like floods and earthquakes. Physically protected hard drives are an alternative to an offsite copy, but they have limitations like only being able to resist fire for a limited period of time, so an offsite copy still remains as the ideal choice.

The factors of authentication

The ways in which someone may be authenticated fall into three categories, based on what is known as the factors of authentication: something the user knows, something the user has, and something the user is. Each authentication factor covers a range of elements used to authenticate or verify a person's identity before being granted access, approving a transaction request, signing a document or other work product, granting authority to others, and establishing a chain of authority.

Security research has determined that for a positive authentication, elements from at least two, and preferably all three, factors should be verified. The three factors (classes) and some of the elements of each factor are:

1. Knowledge: Something the user knows (e.g., a password, partial password, passphrase, personal identification number (PIN), challenge–response (the user must answer a question or pattern), security question).
2. Ownership: Something the user has (e.g., wrist band, ID card, security token, implanted device, cell phone with a built-in hardware token, software token, or cell phone holding a software token).
3. Inherence: Something the user is or does (e.g., fingerprint, retinal pattern, DNA sequence (there are assorted definitions of what is sufficient), signature, face, voice, unique bio-electric signals, or other biometric identifiers).

What KeePassXC offers

KeePassXC is an open-source cross-platform password manager. It mainly stores password databases locally, but you can simply store the file on the cloud for cloud sync. However, this method is botch-y at best, and adds the additional complexity of storing the credentials for the cloud drive.

The database can be protected with any of the following:

Password: This is something the user knows. It can be a password or a passphrase. This can be written down to become something the user has physically, or stored in a file to become something the user has digitally. Storing it in a file is generally not safe due to temporary file leaks.

Key File: This is something the user has. This is stored digitally. This file should either be kept on a separate drive, encrypted with something like LUKS or VeraCrypt, or both. It is possible to convert it to readable text and print it as a physical copy, but reversing the process every time you want to unlock your database would be cumbersome.

Hardware Key: This is something the user has. This is stored physically. You can use hardware security keys such as the YubiKey or OnlyKey for this.

Quick Unlock: This is something the user is. Quick Unlock is only available on Windows and macOS as a form of biometric authentication. It is only available for devices that have a built-in biometric scanner, or by using an attachable biometric scanner. There is most likely a way to achieve this on Linux, but the documentation is scarce.

Any combination of these methods can be used to protect a KeePassXC database. At least one must be used. However, if you use multiple methods, all of them must be used to unlock the database (e.g. if you set up a password and a key file as the methods to unlock the database, you can't only use the password or only use the key file to unlock it, you must use both.)

The problems

Each method has a single point of failure, and the fact that you can't set up multiple methods of authentication but choose one to unlock the database means that the more methods you choose to protect your database with, the likelier it will be that one method fails.

Password: This can be forgotten, lost or stolen from a piece of paper (if it's written down), keylogged or shoulder surfed, leaked through temporary files or stolen (if it's stored digitally), corrupted or permanently encrypted (if it's stored digitally), have the drive physically lost or stolen (if it's stored digitally), unconsciousness (if you only stored it mentally and needed someone else to unlock it for you), or forced our of you with torture.

Key File: This can be leaked through temporary files (if not stored properly), hacked and stolen, corrupted, permanently encrypted (if you are unable to decrypt it), or have the drive physically lost or stolen.

Hardware Key: This can be damaged, stolen, or lost.

Quick Unlock: This can be spoofed (if not set up properly), damaged, general failure to authenticate, damage to you (e.g. facial damage in a fire), or hacked with zero-day vulnerabilities (since Windows and macOS are proprietary).

If any one of these fails, the database is permanently locked.

Some solutions

There are some improvements that you can use to mitigate some of the single points of failure. All methods of authentication can be redone if something happens, but you need to unlock the database to do so (e.g. you can change your database password if it gets leaked, but you need to be able to unlock the database first, so it doesn't help if you lose your password).

Password: You can store your password using something like a password card. Passphrases are also easier to remember than passwords. Both passwords and passphrases can be safely written down on paper by enciphering them first. However, this introduces new complexities and single points of failure if you are unable to decipher the password.

Key File: The use of the 3-2-1 rule can help make sure the key file never gets lost, but extra care should be taken to make sure the file never gets stolen.

Hardware Key: You can set up multiple hardware security keys in order to make sure if one gets lost you can use the other. One key should be kept with you at all times, and the other should be safely stored somewhere else (such as a safe deposit box).

Quick Unlock: I have never used this feature, but assuming it's anything like FaceID, you should set up multiple people (such as trusted friends and loved ones) to be able to unlock with biometrics. This ensures that if something happens to you, someone else can unlock it in an emergency or other reasons you may need someone to unlock it for you.

Plugins

While I may be wrong, KeePassXC does not support plugins directly. Ideally you should be able to have plugins for things such as proper cloud sync, TOTP database protection, and changing the all-or-nothing nature of unlocking the database. However, since KeePassXC is open source, someone could make a fork of KeePassXC that supports plugins (please, call it KeePlugXC).

Database syncing

Besides not being able to unlock your database, your database file itself is largely subject to the same single points of failure as a key file. The difference is the database is completely encrypted, and is safe (although not ideal) if it gets leaked. You can store your database in as many places as you'd like, to make sure it never gets corrupted, but the issue is syncing the database as that would be a manual task. The solution presented is the botched cloud storage, but for those who want a local solution, that is not ideal.

Final notes and questions

KeePassXC is very feature rich, so there are other things that can be used to aid the process of preventing database lockouts; but even so, it's a very difficult task. How is your KeePassXC database set up? Are there any single points of failure? How have you fixed some of the issues listed here? Is there a perfect or near-perfect system for eliminating lockouts?

I've noticed that ads are absolutely everywhere, and wanted to post this to disillusion some of the places we see ads but don't realize. It would be harder to make a list of places you don't see ads.

Websites

The most common place to see ads is on nearly every website you visit. It's usually the most intrusive, especially with popups.

Books

The very end page of books and back cover of books will often advertise books written by the same author.

Billboards

Billboards along busy streets and highways often display static or moving ads. A notable mention is its role in the book Fahrenheit 451, where it was theorized that as cars get faster ads would have to be stretched out so people can see them better at high speeds.

Operating systems

Some Android operating systems, as well as Windows, show ads in a non intrusive way.

Apps

Especially mobile games, ads will be displayed anywhere possible, and sometimes used as a reward system. Social media apps display ads while scrolling, and even messaging apps will have some sort of promotion like requesting donations.

Mail

Deemed "junk mail", companies will collect and sell the address of residents in order to send useless advertisements to the residents. This can't usually be opted out of. In my opinion, this should be illegal.

Phone calls

Especially when put on hold, businesses will interject occasional advertisements in between the low quality jazz music. Customer support will also often advertise products to you while you are being assisted.

Newspapers

Newspapers have entire pages filled with ads. Some of these are promotional coupons that can be used to get overpriced products for a regular price.

Magazines

Magazines are fundamentally only used to advertise products in a passive way. The chances you actually have a meaningful experience with a magazine are slim. They are often placed in waiting rooms as a form of entertainment for people who don't want to use a phone at the time.

Music

Between songs in radio broadcasts, long ad breaks will be placed. Music streaming services will also inject ads between songs. Even the hosts of podcasts will have sponsorship segments.

Disk movies

DVD and Blueray disks will often come with ads baked in to advertise "upcoming" movies. That is, until 10 years passes and Peter Pan becomes a funny ad to see.

Movie theaters

Between movie showings, movie theaters will display long ad segments while you wait for the movie to begin. Some very long movies are even split in half, with an ad break in between for you to empty your wallet and refill your popcorn.

Bleachers

In sporting events, moving ads will be displayed under bleachers. Fun fact, these ads change depending on which channel you are watching the game from.

Commercials

Between live television, you will get 1-3 minutes of commercials and then watch the shortest segment of your actual show.

Baked into videos

Videos such as YouTube videos will have sponsorships and self-promotion baked in, causing the drastic rise of SponsorBlock.

Torrents

Some torrented files will also have text or image files attached advertising other torrenting services.

Vehicles

Buses, vans, cars, and others are often plastered with ads for different services. If you're in a car wreck, call emergency services first, not an auto repair shop.

Social media

Social media is one of the go-to methods of marketing. Besides the ads you see while doom scrolling, many pictures and videos uploaded will simply be ads for products.

Gas stations

Plastered all over gas stations, and apparently displayed on some gas pump screens, ads are placed everywhere. Is that not more of a fire hazard than eight closely packed gasoline tanks?

Posters

Pasted inside schools, workplaces, plastered on power poles and sides of buildings, posters are cheap to make and placed everywhere.

Instruction manuals

When buying a product, besides impossibly small print, some instruction manuals will have ads pasted in certain sections. Some devices like mice, keyboards, and headphones advertise proprietary software required to get the full extent of your product.

Wearables

T-Shirts, pins, bracelets, hats, and all other kinds of merch will display company names for everyone to see. Ironically, companies see these kinds of clothing as inappropriate attire on the job.

Pens

Another kind of merch, nearly every free pen has the name and contact info of businesses on it.

Redirects to downloads

Some websites will redirect you to ad websites before beginning your download. Lots of these websites (such as the infamous AdFly) are malicious and will encourage you to download malicious software.

Grocery stores

Solicitors in store, ads during checkout, product placement all throughout the store, ads over the intercom, nearly every type of ad imaginable can be found in grocery stores.

Speakers on public transport

Some subways and buses will play ads over the speakers while you travel. No napping on the bus, we want you awake to hear our ads!

Emails

Spam emails are frequently sent to people, so commonly an entire folder is dedicated to housing them. Even places you legitimately gave your email to will send you spam.

Comments and chat messages

People will often self promote their accounts on various platforms. This is a common place for scams to arise.

Solicitors

Solicitors will come on your private property just to sell their products to you. Just when you thought ads could never come knocking on your doorstep, they did.

Lawns

Lawn signs for services such as lawn care or political messages will be placed on people's property as a form of willing advertisement. Flowers look a lot better than rust and plastic.

Airplanes

Some airplanes will pull long banners with ads behind them. This is usually surrounding sporting events.

Brand names

Products produced by any company will have brand names on them. This makes it easy for advertising to flow through word-of-mouth. But seriously, where did you get that shirt from?

Search engines

Almost all search engines will display ad websites before legitimate search results

This post

Even this post had an advertisement in it that I bet most of you missed. I passively advertised "SponsorBlock" under "Baked into videos". If you missed it, that's ok. Advertising has become so common that people have become desensitized to it.

Not sure which news website I should be using for the link, sorry! I'm happy to change it if anyone has a better one.

Google agreed to destroy or de-identify billions of records of web browsing data collected when users were in its private browsing “Incognito mode,” according to a proposed class action settlement filed Monday.

The proposal is valued at $5 billion, according to Monday’s court filing, calculated by determining the value of data Google has stored and would be forced to destroy and the data it would be prevented from collecting. Google would need to address data collected in private browsing mode in December 2023 and earlier. Any data that is not outright deleted must be de-identified.

I'm concerned about the privacy implications of DNA testing services like 23andMe or AncestryDNA. What are the potential risks of sharing our genetic data with those companies, and are there any privacy-focused alternatives available?

Hello!

My knowledge about DNS resolvers is somewhat limited. So, in an effort to expand my knowledge and find a DNS resolver that works for me, I've come for help here.

Here is a list of terminology that I either know too little about, don't know anything about, or want to make sure my understanding is correct about:

Cleartext (What does this mean in the context of protocols? Is it inherently bad?)

DoH (I somewhat understand this, but is it less secure than DoT?)

DoH/3 (How is this different from DoH?)

DoT (Is this more private than DoH?)

DoQ (I don't know enough about this, how does it compare to DoH and DoT?)

DNSCrypt (I'm not sure what this is.)

Do53 (I'm not sure what this is. Is it a replacement for DoH/DoT/DoQ, or does it work alongside it?)

DNSSEC (I don't know what this is.)

EDNS padding (I'm pretty sure I know what this is, it just pads DNS queries. What happens if "Cleartext" is used, does it still pad it?)

As for what I'm looking for in a DNS resolver: I don't plan to self host it, I would like support for iOS, Linux, and Android, I would like it to be free, I would like EDNS padding, DoH is preferred (although I don't quite understand the alternatives). I am aware that the DNS resolver will usually be the same as my VPN. Note: I'm not looking for a beginner DNS resolver, I've been using NextDNS for a while now, I'm looking for one with strict privacy and security.

I've tried looking at Privacy Guides and Wikipedia, but I don't know enough to make an educated decision.

Any suggestions?

Thank you all!

All questions are in bold for ease of use.

The major carriers in the United States participate in NSA surveillance (except for T-Mobile apparently, because it's based outside of the US. Except they bought Sprint, which participates.) and that, along with other major privacy issues, means that the market for private carriers is incredibly slim. When I found out that some carriers, such as Mint Mobile, piggyback off of Verizon, I wondered: What's stopping a carrier from simply E2EE everything from Verizon, and then using Verizon to transfer the data? Obviously, the encrypted data could still be collected and sold, but it wouldn't matter if the encryption was setup properly, right? I'm looking to better understand how this works, and, if a solution exists, potentially be the first to make it happen. The reason I'm not suggesting creating a carrier without piggybacking is due to the sheer cost and lack of support it would have, which would lead to poor adoption. Also, if carriers simply don't support E2EE, couldn't carrier locked phones install the software (since most install software anyways) required to make E2EE work?

Hello, Lemmy!

It may be difficult to spend time actively improving some of the services you use to have a more privacy conscious presence, and so this thread is dedicated to help people learn and grow in their privacy journeys! Start by stating which services you currently use, and which ones you may be looking for/want to improve. This thread is entirely optional to participate in, because a lot of people understandably feel uncomfortable listing which services they use. Writing those out can be a lot of work, but the payoff is huge!

Remember these rules:

• Be respectful! Some people are early on in their privacy journey, or have a lax threat model. Just because it doesn't align with yours, or uses some anti-privacy software, doesn't mean you can downvote them! Help them improve by giving suggestions on alternatives.

• Don't promote proprietary software! Proprietary software, no matter how good it may seem, is against the community rules, and generally frowned upon. If you aren't sure, you can always ask! This is a place to learn. Don't downvote people just because they don't know!

• Don't focus solely on me! Since this happened in another one of my posts, I want to mention that this thread is not designed to pick apart only my setup. The point is to contribute your own and help others. That doesn't mean you can't still give suggestions for mine, but don't prioritize mine over another.

• Be polite! This falls under "Be respectful", but be kind to everyone! Say please, thank you, and sorry. Lemmy is really good about this, but there will always be someone.

Here is my setup:

Web browsing

• I use Tor for using online accounts (such as Lemmy, etc.)

• I use Mullvad Browser for general browsing

• I use Librewolf for functionality that Mullvad Browser doesn't have (security keys, etc.)

• I use Firefox + uBlock Origin for streaming videos that break on Librewolf and Mullvad Browser.

• I always use a SearXNG instance for web searches. I always use ProtonVPN (free tier). I use a private DNS resolver.

Desktop

• I use Secureblue (yes, I'm that guy from a post a couple weeks ago)

• I sit behind a firewall.

• I only use FOSS Flatpaks with Flatseal.

• My BIOS is password locked but proprietary (due to compatibility issues).

• I occasionally use Tails because I think it's fun.

• I use full disk encryption, multiple disks, and a second layer of encryption for specific important files (NSA style)

Mobile

• I currently use hardened iOS until I can scrape together some money for a Pixel to use GrapheneOS

• Again, I constantly use ProtonVPN (free tier)

• I use a private DNS when ProtonVPN is turned off

• I use AdGuard, but I browse the internet with the DuckDuckGo app (I can't sideload)

• I use a very strong passcode

• Airplane mode is constantly enabled, I don't have a SIM

• I use a Faraday bag to store my device when I'm in public

• I use a privacy screen protector

Messenger

• I mainly use Signal with a borrowed phone number, because SimpleX is still buggy on iOS, and Signal is the easiest to switch friends to. I rarely use iMessage, but there are times when I have to.

Online accounts

• Passwords are stored in Bitwarden for mobile accounts, and KeePassXC for desktop accounts.

• Yubikey is placed on any account I can, otherwise 2FAS is used

• I keep public accounts (Lemmy, etc.) as locked down as I can.

Video streaming

• I use the native YouTube app on iOS, simply because any of the others I've tried either don't actually work or require a Mac to install. I don't have a Mac, obviously.

• I use FreeTube on desktop, but as I was writing this I was informed that FreeTube has a few issues I may want to look into (Electron).

AI

• I would love to know if there are any Flatpaks that run local LLMs well, but I currently use GPT4All (since that's what I used a year ago).

• On mobile, I use an app made by a friend that gives access to GPT-4 and Gemini. Because it's running off of his own money, I'm not going to share the project until he has a stable source of income.

Social Media

• I don't use any social media besides Lemmy.

Email

• I use ProtonMail

• I have addy.io as an alias service

Shopping/Finance

• I currently either proxy my online purchases through someone else (have them buy it for me and I pay them back), or use a gift card

• For physical purchases I use cash

• I only use my bank account for subscriptions (Spotify, etc.)

• I am working on using Monero and privacy.com

Music streaming

• I use Spotify on my phone

• I use Spotube or locally downloaded files on my computer

• I have multiple AM/FM receivers with some yard long antennas and direct metal connectors

TV shows

• I stream from ethical services for some movies

• I go to a theater or buy a DVD for other movies. I am the proud owner of a USB DVD player.

• I also have an antenna hooked up to my TV

• There are certain IPTV services I have used in the past

• I do not use a smart TV.

Gaming

• I download local games, plain and simple. Or I code my own game.

Programming

• I code in Python using PyCharm. I'm looking for alternatives.

• I will use GitLab when I decide to publish some of my work.

Productivity

• LibreOffice, although the UI is iffy

Misc

• I don't use any location services

• All my clocks are set to UTC

• I don't have a smart watch

• I don't have a smart car

• I use Bluetooth earbuds

• I cover my webcams with paper and tape. Reason: It's worth taking a couple seconds to peel tape off when you use the webcam than to risk a massive breach.

Thanks for reading!

Note here: I found out the other day that a Google Streetview car passed by my house, and my blinds being shut were the only thing keeping my room away from prying eyes. Is there an easy way to blur/censor my house without giving up my soul?

Special thanks

Lots of people kindly contributed their personal setups in the comments, and some even made their own posts! I'm really glad I could spark inspiration and start a way for people to learn and grow in their privacy journeys. To think, just this morning, I was stressing on if people would even enjoy the post at all! Thank you all again, and please go forward to inspire others. I am not the person who made this happen, all of you are!

Evidently Tails 6.0 released over a week ago, and my version never prompted me for an upgrade ~~(maybe because it's a major upgrade, I don't know.)~~ In any case, I wanted to first of all spread the word about Tails, and second of all mention this: My one problem with Tails is that it had some outdated software (such as KeePass being a few versions behind), but with the introduction of Tails 6.0, that seems to be resolved.

Tails also has dark mode now. I love dark mode.

Edit: "Automatic upgrades are only available from Tails 6.0~rc1 to 6.0. All other users have to do a manual upgrade."