Technical Privacy Tips

Securing your Privacy. It matters!

A few thoughts on privacy, limited to mobile phones - specifically android as it's really the best way to go for privacy. 

General Thoughts

First thing to note is how google identifies you as a person/user. There are 5 ways I know of:

1. Your mobile device (unique serial number, IMEI and MAC address)

2. Your SIM card (unique SIM card serial number - IMSI and phone number)

3. Your browser (so-called browser fingerprinting)

4. Your Google account and sometimes other accounts that are tied to your Google account (eg you registered using your gmail) and that themselves use some Google services.

5. IP

So, even if you format your phone, log out of the google account, all that kind of stuff, this device is already tainted and they will have info stored on the habits of the person using that IMEI and SIM. Best way is to start fresh with a new phone and new number if privacy/anonymity is your aim. This doesn't necessarily mean anything expensive though. There's stuff under £100 quid that works for privacy (though I would recommend buying a device that runs 'out the box' on at least android 8 or higher) and you can strip usage right back on your current device. Mine as an example gets used for banking apps, Twitter, and WhatsApp. That's about it. Everything else is on my privacy device. Note: your SIM doesn't pass info back and forth to apps so this isn't strictly necessary but it's an optional extra layer of control since that number will be tied to your identity somewhere.

So, not all phones will work for what I'm outlining but you can usually find out which phones are supported, and new phones are added all the time as various developers work to make them secure. 

Customer Operating System (ROM)

Currently for mobile it's better and easier to install a deGoogled Android ROM like LineageOS or GrapheneOS. These aren't available for all devices of course as I said but GrapheneOS works only on Pixel phones, which is funny considering that they are made by Google. You will mostly be able to use all of the same apps that you would with a regular Android OS installed but no 'Google' means some things won't work, like Google Maps (and all apps that use it), some notifications (because these typically use Google's Firebase messaging service), and probably some other stuff. 

Some apps may not run because such phones are typically rooted. To put it simply, root is the super user/administrator, which by default is available to Google but not the phone owner. So a rooted phone is one that has administrative privileges, which is generally a threat. On linux systems (which Android kind of is) you almost never log in as root, because if you get hacked while on root, your whole system is compromised. Therefore, some apps which value security, don't run on rooted phones. This means primarily gov apps, bank apps etc. Barclays doesn't work on rooted phones, for example.

So, once you get a deGoogled phone, there are 2 app stores that you will need. First is F-droid which has only free open source software. There's obviously much less of those than in the GooglePlay store, however they are ad-less (since ads are a Google thing).

Then Aurora Store which allows you to download apps from the GooglePlay store and also shows you a lot of privacy and security related information, such as what smartphone features the app uses (including those that don't require permissions) and what trackers it has (Facebook, Amazon, Google and some others).

Something quick to note here - you will have to become a lot more hands-on with things like installing apps and managing files as your phone will by default start asking your permission for everything. Where once you could click 'yes' and it would install something, now you will have to confirm the download then open the file, then confirm installation, then confirm the level of permissions you want that particular app to have.

Next up, counter measures:

1. a) MAC address is a unique identifier of device's network interface controller. On desktop there are ways to conceal it using special adapters and software, or by using virtual machines, however on mobile it can only be changed through a system format or by changing the hardware.

b) IMEI (International Mobile Equipment Identity) is a unique identifier code assigned to all devices that have access to GSM networks. There are some ways to remove it, but I haven't experimented with them.

c) Serial number - nothing can be done about this one, except of course just changing the device.

You can view these codes in settings, somewhere in the hardware and WiFi sections.

2. a) IMSI (International mobile subscriber identity) identifies your SIM card and like IMEI it is permanent. However IMSI is necessary for the use of the network, therefore it is impossible to remove it or conceal it in any way.

b) Phone number - well, basically don't give it to any website or app if you don't have to. There are online services for fake SMS authentication, though they don't always work. A good idea might also be to get a prepaid burner SIM to use for registrations that require a phone number, or like I mentioned, I keep my old 'compromised' phone for these purposes, though I did also get a new number (SIM) for that phone too.

3. a) Cookies and cache - well these are easy to clear, all browsers nowadays have a button for that and there are extensions to disable storing them completely, or clear them on exiting the browser.

b) Site data, in programming terms also called local storage, is a way for a website to store ANY data on YOUR device INDEFINITELY. This is meant to be used for performance optimisation, but the data can be absolutely anything and so it can be used to track you just the same. This is how Facebook can still track you even if you delete the app. In some browsers again you might have a button to clear it, or use some extensions. Not a worry at all if you start with a blank phone though.

c) When you visit websites, they collect a lot of data about your network (IP), device (eg MAC address) and your system, as well as lots of metadata like request time, speed, what browser you're using, your location, your screen size (if browser is on fullscreen) etc - these might seem pretty worthless in solitude, but combined they create a very unique fingerprint. There is no obvious countermeasure, however this data will be useless if you don't attach it to any identity. Therefore the best way to deal with this is to compartmentalise your browsing. This means you have several different browsers and use them for different purposes. I personally use 3 but spread across 2 phones and a PC . One can be devoted to sites that have my identity from payments, think Amazon, eBay, bank, etc. Another is for unimportant accounts like online forums, Twitter. Another for general browsing/research. Another for full anonymity etc. You can (and should) divide it in a way that suits you.

4. As I said previously, check your Google activity, research it, identify threats, then delete it. Then, switch all your services to use something else than Google. Make sure to ditch Gmail, as Google reads all your e-mails, thus they know literally everything about you. For example, every time you buy something on Amazon, you get a notification to Gmail and Google can read what you have bought and when, including the delivery address, phone number and literally everything. E-mails aren't safe in general, but that's a topic for another time.

5. IP is the easiest to conceal. Basically, get Mullvad VPN and/or use Tor. This is a simple solution for both desktop and mobile, and you can pay for it anonymously using crypto currency like Bitcoin.

Now, there's one other thing to point out for now - the sensors in your phone are also capable of recording your voice. To turn those off you will need a phone that comes out the box with Android 10 (but you'd wipe that and replace it with lineage/graphene anyways but you still need a device with the technical bits inside). 

First you need to enable developer options. If you don't know how: Go to 'settings', 'about', an tap on 'build number' seven times until it gets unlocked. Then in 'developer settings' search for 'tiles' and you should find 'Quick settings developer tiles'. In there you can 'switch sensors off'. Turning off that sensor will also turn off your camera and microphone. They will still work when using them through an app or on a call, but they won't receive any sound from the sensors.

This is a link to lineageOS.  If you click 'download' in the top left it brings you to another page where on the left hand side you can see manufacturers, and when you click on them you can see the models of phone that are supported at the moment. They add more over time and it's unlikely they will have the latest handsets on there because it takes time to write and test the code. You will also get links to installation instructions on the download page and I would read those very carefully before doing anything at all, at least 2-3 times.

https://lineageos.org/

Here's one for Graphene:

https://grapheneos.org/releases - this tells you the supported models

https://grapheneos.org/install/ - installation options

Other useful items - if you want to watch youtube on your new phone you can install something called 'Newpipe' through the Fdroid/Aurora store. Aurora store is like a 'spoofed' play store so you don't get tracked but get most of Google's apps on there. It makes up a new anonymous identity for you every time you log on to it too.

Speaking of YouTube - there is a channel called 'The Hated One' who speaks a lot about privacy related things so that might be worth a look.

https://www.youtube.com/channel/UCjr2bPAyPV7t35MvcgT3W8Q

Think that's about it from me for now. Have fun going through all that, there IS a lot to take in but it becomes second nature eventually and honestly, I use my gadgets a bit less and feel better for it myself.