Just leave your phone at home and bring a plain old small digital camera, agree ahead of time with friends on when and where to meet up. It's interesting to me and i guess showing my age that this isn't self evident to everyone everywhere.
I suspect the old school stuff is generally less monitored. I think some of the cheap Baofeng radios support AES256 encryption. I think that's technically only legal with a business license from the FCC or some such, but I'd be a lot less worried about an FCC fine than having my phone tracked. There's probably some quick keypresses to clear the encryption config so it looks like it was on plaintext.
Do not use devices that can be trivially tracked through the cell network, or that can be surveilled by big tech. This means a device bought anonymously, a free/libre OS like Graphene, no Google/Facebook/Apple spyware apps, and an anonymous SIM paid for with cash or crypto. This should be done by everyone to avoid the possibility of mass surveillance, not only people who have something to hide from a three-letter agency. If you really have something to hide, then the cellular network shouldn't be used at all.
>Do not use devices that can be trivially tracked through the cell network, or that can be surveilled by big tech. This means a device bought anonymously, a free/libre OS like Graphene
GrapheneOS isn't magically exempt from cell tracking, and both android and ios phones can go into airplane mode and have location disabled, which provides similar privacy.
>and an anonymous SIM paid for with cash or crypto. This should be done by everyone to avoid the possibility of mass surveillance, not only people who have something to hide from a three-letter agency.
No, it's much harder than just "an anonymous SIM paid for with cash or crypto". You need to practice proper opsec. There's no point getting an anonymous sim when you then turn around and then use it as a 2fa number for your bank, or carry it around with you every day.
> GrapheneOS isn't magically exempt from cell tracking, and both android and ios phones can go into airplane mode and have location disabled, which provides similar privacy.
You practically can't do anything on a Googled Android device or iOS without a Google or Apple account, so no, they don't provide "similar privacy." The point of a FOSS system is that the user fully controls it, and can install apps privately from any source.
>You practically can't do anything on a Googled Android device or iOS without a Google or Apple account, so no, they don't provide "similar privacy."
If you're talking about not being able to install third party apps, aurora store doesn't require an account and works fine on stock android. Most other basic functionality works fine too, eg. camera, calls, browsing, maps.
> If you're talking about not being able to install third party apps, aurora store doesn't require an account and works fine on stock android. Most other basic functionality works fine too, eg. camera, calls, browsing, maps.
The Play Store is not the only issue with stock Android devices. Google dependencies run with high privileges and the device is constantly communicating with Google servers for one reason or another. You do not own a Google device for all intents an purposes. The main contribution of Graphene here is that it strips out the proprietary blobs and optionally provides an environment to run Google's libraries with unprivileged access.
The point about de-Google'd Android vs your insistence on GrapheneOS is that by the time you are using Google's libraries, like Maps, Play Services, or their notification service (Firebase, IIRC), you've already lost. GrapheneOS is not dramatically better than de-Google'd Android if you're still sending all your notifications through Google, as well as your location and things like contacts
The point is you have to leave Google with both for it to do much good
> insistence on GrapheneOS is that by the time you are using Google's libraries, like Maps, Play Services, or their notification service (Firebase, IIRC), you've already lost.
Graphene offers the option of sandboxing Google apps should you want them. The usual setup is a second user profile with all the Google stuff in it. My main profile only contain FOSS apps and nothing passes through Google's servers. I use the Google profile for the maps with a dedicated account maybe once a month when driving somewhere unfamiliar.
i think these already have you screwed. that anonymity is going to be superficial at best. you will be recorded making these purchases, and tracked to your identity
Then you're going to take it home for >8 hours per day, and to your job several hours per day, and likely call at least one or two of your important contacts. At which point that's the ball game - the pool of people that live in the immediate vicinity of your building, and work in the immediate vicinity of your job site, and call your partner / parents / kid, is made up of pretty well exclusively you
See my other comment. At least in this particular case the databrokers are getting the data from apps themselves. If you don't grant location permissions to shady weather/transit/delivery apps, you should be safe.
Without more information about how the system works, a casual "eh if I don't grant location data access to shady apps I'm probably safe" seems very risky. What apps are "shady"? How does the real-time bidding system obtain and divulge location data?
I think that it is not a safe assumption that the only way corporations are obtaining people's location is via OS location APIs.
>Without more information about how the system works, a casual "eh if I don't grant location data access to shady apps I'm probably safe" seems very risky.
I don't think anyone who actually is at risk, or cares about risk, is going to be overconfident about their security because some HN commenter said "you're probably fine".
>What apps are "shady"?
Depends on your paranoia level. I'd say first party apps (eg. apple/google maps/weather) are probably fine. Google has the additional caveat that they record location history and therefore might be subject to geofence warrants. If you think iOS/Android is backdoored then all phones are off limits.
>How does the real-time bidding system obtain and divulge location data?
They're whatever ad SDKs can get their hands on. If the app has location permissions, it's that. Otherwise it's something like geoip. At the end of the day it's just third party code running in some app's sandbox. If the app can't get it, the SDK can't get it either.
>I think that it is not a safe assumption that the only way corporations are obtaining people's location is via OS location APIs.
What other plausible mechanism are there then? wifi/bluetooth scanning requires location permissions since forever ago.
One way to minimize the info they gather is by using a dumb phone. I have a flip phone running some RTOS that doesn't allow any kind of apps and doesn't have GPS, meaning the only trace it leaves is any cell activity
The true answer is: Hold your politicians accountable for this at every level, including at the "boring" local level and on all levels all the way up to the top.
This type of problem needs to be fixed on the society level.
Not use any device that has GSM/LTE, or Bluetooth.
Alternatively, broadcast a hidden SSID WiFi AP via an enabled RPi and use only devices that's have WiFi. Hand them out to people for free to increase the spread.
Attach magnets to the RPi's and go rogue by sticking them to buses, cars and trains et cetera to increase range.
Are there decent wifi communicators on the market? I looked into some Lora projects for this but they never seem to actually ship or get past prorotypes
> Are there decent wifi communicators on the market? I looked into some Lora projects for this but they never seem to actually ship or get past prorotype
Yes, 100%. Meshtastic and Meshcore both do this, but I'd recommend Meshcore. Here in the Seattle area we have a network that fairly reliably delivers messages from Canada through the Seattle metro area all the way down to Portland. Fully encrypted with dual key cryptography. Meshcore uses a different strategy than Meshtastic, which enables Meshcore to work more reliably. To see what's happening in your area for Meshcore see https://analyzer.letsmesh.net/map
Is very fun to set up a repeater for under $50 and see a noticeable difference in the coverage area. Is a fun technical project that combines the best of hiking/walking/driving geocaching style, ham radio (but without a license requirement), antenna building, and more. I'm getting acquainted with people in my neighborhood too which is a bonus.
Figuring out what hardware to buy that'll actually work can be a challenge, to get started search amazon for "heltec v3" and make sure you get something that includes a battery, and you'll see 2-packs of radios for $60. There's a web flasher at the above link that'll put the software on the radios for you.
The BSSID is still visible, and is the unique identifier any trackers will be looking for anyway. Also making the SSID hidden just means the AP isn't broadcasting it, any listeners can still see the SSID whenever any client interacts with the AP.
Hidden SSIDs are generally much worse for privacy than non-hidden ones, since all stations (clients in 802.11 terminology) need to constantly go around yelling "hey, is SSID abc available?" while they're not connected to any SSID.
Just leave your phone at home and bring a plain old small digital camera, agree ahead of time with friends on when and where to meet up. It's interesting to me and i guess showing my age that this isn't self evident to everyone everywhere.
I suspect the old school stuff is generally less monitored. I think some of the cheap Baofeng radios support AES256 encryption. I think that's technically only legal with a business license from the FCC or some such, but I'd be a lot less worried about an FCC fine than having my phone tracked. There's probably some quick keypresses to clear the encryption config so it looks like it was on plaintext.
Do not use devices that can be trivially tracked through the cell network, or that can be surveilled by big tech. This means a device bought anonymously, a free/libre OS like Graphene, no Google/Facebook/Apple spyware apps, and an anonymous SIM paid for with cash or crypto. This should be done by everyone to avoid the possibility of mass surveillance, not only people who have something to hide from a three-letter agency. If you really have something to hide, then the cellular network shouldn't be used at all.
>Do not use devices that can be trivially tracked through the cell network, or that can be surveilled by big tech. This means a device bought anonymously, a free/libre OS like Graphene
GrapheneOS isn't magically exempt from cell tracking, and both android and ios phones can go into airplane mode and have location disabled, which provides similar privacy.
>and an anonymous SIM paid for with cash or crypto. This should be done by everyone to avoid the possibility of mass surveillance, not only people who have something to hide from a three-letter agency.
No, it's much harder than just "an anonymous SIM paid for with cash or crypto". You need to practice proper opsec. There's no point getting an anonymous sim when you then turn around and then use it as a 2fa number for your bank, or carry it around with you every day.
> GrapheneOS isn't magically exempt from cell tracking, and both android and ios phones can go into airplane mode and have location disabled, which provides similar privacy.
You practically can't do anything on a Googled Android device or iOS without a Google or Apple account, so no, they don't provide "similar privacy." The point of a FOSS system is that the user fully controls it, and can install apps privately from any source.
>You practically can't do anything on a Googled Android device or iOS without a Google or Apple account, so no, they don't provide "similar privacy."
If you're talking about not being able to install third party apps, aurora store doesn't require an account and works fine on stock android. Most other basic functionality works fine too, eg. camera, calls, browsing, maps.
> If you're talking about not being able to install third party apps, aurora store doesn't require an account and works fine on stock android. Most other basic functionality works fine too, eg. camera, calls, browsing, maps.
The Play Store is not the only issue with stock Android devices. Google dependencies run with high privileges and the device is constantly communicating with Google servers for one reason or another. You do not own a Google device for all intents an purposes. The main contribution of Graphene here is that it strips out the proprietary blobs and optionally provides an environment to run Google's libraries with unprivileged access.
The point about de-Google'd Android vs your insistence on GrapheneOS is that by the time you are using Google's libraries, like Maps, Play Services, or their notification service (Firebase, IIRC), you've already lost. GrapheneOS is not dramatically better than de-Google'd Android if you're still sending all your notifications through Google, as well as your location and things like contacts
The point is you have to leave Google with both for it to do much good
> insistence on GrapheneOS is that by the time you are using Google's libraries, like Maps, Play Services, or their notification service (Firebase, IIRC), you've already lost.
Graphene offers the option of sandboxing Google apps should you want them. The usual setup is a second user profile with all the Google stuff in it. My main profile only contain FOSS apps and nothing passes through Google's servers. I use the Google profile for the maps with a dedicated account maybe once a month when driving somewhere unfamiliar.
> a device bought anonymously
> an anonymous SIM paid for with cash or crypto
i think these already have you screwed. that anonymity is going to be superficial at best. you will be recorded making these purchases, and tracked to your identity
Then you're going to take it home for >8 hours per day, and to your job several hours per day, and likely call at least one or two of your important contacts. At which point that's the ball game - the pool of people that live in the immediate vicinity of your building, and work in the immediate vicinity of your job site, and call your partner / parents / kid, is made up of pretty well exclusively you
See my other comment. At least in this particular case the databrokers are getting the data from apps themselves. If you don't grant location permissions to shady weather/transit/delivery apps, you should be safe.
Without more information about how the system works, a casual "eh if I don't grant location data access to shady apps I'm probably safe" seems very risky. What apps are "shady"? How does the real-time bidding system obtain and divulge location data?
I think that it is not a safe assumption that the only way corporations are obtaining people's location is via OS location APIs.
>Without more information about how the system works, a casual "eh if I don't grant location data access to shady apps I'm probably safe" seems very risky.
I don't think anyone who actually is at risk, or cares about risk, is going to be overconfident about their security because some HN commenter said "you're probably fine".
>What apps are "shady"?
Depends on your paranoia level. I'd say first party apps (eg. apple/google maps/weather) are probably fine. Google has the additional caveat that they record location history and therefore might be subject to geofence warrants. If you think iOS/Android is backdoored then all phones are off limits.
>How does the real-time bidding system obtain and divulge location data?
They're whatever ad SDKs can get their hands on. If the app has location permissions, it's that. Otherwise it's something like geoip. At the end of the day it's just third party code running in some app's sandbox. If the app can't get it, the SDK can't get it either.
>I think that it is not a safe assumption that the only way corporations are obtaining people's location is via OS location APIs.
What other plausible mechanism are there then? wifi/bluetooth scanning requires location permissions since forever ago.
One way to minimize the info they gather is by using a dumb phone. I have a flip phone running some RTOS that doesn't allow any kind of apps and doesn't have GPS, meaning the only trace it leaves is any cell activity
The true answer is: Hold your politicians accountable for this at every level, including at the "boring" local level and on all levels all the way up to the top.
This type of problem needs to be fixed on the society level.
Not use any device that has GSM/LTE, or Bluetooth.
Alternatively, broadcast a hidden SSID WiFi AP via an enabled RPi and use only devices that's have WiFi. Hand them out to people for free to increase the spread.
Attach magnets to the RPi's and go rogue by sticking them to buses, cars and trains et cetera to increase range.
Are there decent wifi communicators on the market? I looked into some Lora projects for this but they never seem to actually ship or get past prorotypes
> Are there decent wifi communicators on the market? I looked into some Lora projects for this but they never seem to actually ship or get past prorotype
Yes, 100%. Meshtastic and Meshcore both do this, but I'd recommend Meshcore. Here in the Seattle area we have a network that fairly reliably delivers messages from Canada through the Seattle metro area all the way down to Portland. Fully encrypted with dual key cryptography. Meshcore uses a different strategy than Meshtastic, which enables Meshcore to work more reliably. To see what's happening in your area for Meshcore see https://analyzer.letsmesh.net/map
Is very fun to set up a repeater for under $50 and see a noticeable difference in the coverage area. Is a fun technical project that combines the best of hiking/walking/driving geocaching style, ham radio (but without a license requirement), antenna building, and more. I'm getting acquainted with people in my neighborhood too which is a bonus.
Figuring out what hardware to buy that'll actually work can be a challenge, to get started search amazon for "heltec v3" and make sure you get something that includes a battery, and you'll see 2-packs of radios for $60. There's a web flasher at the above link that'll put the software on the radios for you.
Really wish more people would get on the Meshcore train here locally. Everyone just picked up meshtastic and looked no further.
Meshcore's crypto is interesting.
ECB, issues with key generation, key negotiation, seldom authenticated data, ...
It definitely works better than MT but please stop lauding it for its cryptographic properties ;)
It's at the bottom of their TODO, under the heading "V2 protocol spec".
> a hidden SSID WiFi
Don't do this!
The BSSID is still visible, and is the unique identifier any trackers will be looking for anyway. Also making the SSID hidden just means the AP isn't broadcasting it, any listeners can still see the SSID whenever any client interacts with the AP.
Hidden SSIDs are generally much worse for privacy than non-hidden ones, since all stations (clients in 802.11 terminology) need to constantly go around yelling "hey, is SSID abc available?" while they're not connected to any SSID.
I was ultimately taking the piss, it'll be radical if someone actually did but I had no idea it caused wifi pollution from this.
You learn something new everyday.