Becoming Virtually Untraceable (Eps7.0_S0c1al.D1st0rt!on.bat)
*Note: This article was originally published by the author on December 2, 2018. This article is also available in Spanish here.
“In our Governments, the real power lies in the majority of the Community, and the invasion of private rights is chiefly to be apprehended, not from the acts of Government contrary to the sense of its constituents, but from acts in which the Government is the mere instrument of the major number of the constituents.” ~James Madison, Letters and Other Writings
*It is beneficial to begin reading this series from the beginning to understand everything that has been previously covered up to this point.
I’ve covered a lot of ground in previous segments and in the 7th edition of the newsletter, I will show you how Artificial Intelligence (AI) is poised to become a major digital privacy threat in the near future. I’ve also added a couple of new sections to these installments that specifically address privacy tactics, techniques, and procedures or TTP, privacy tools, and low-tech anonymity and evasion techniques.
For those who value their individual privacy, it is difficult to put a price tag on it. In fact, I would not trade wealth and fame for my privacy, which may provide you with some perspective on how important privacy is to me. Let me ask you though, how do you feel about your private information such as your Amazon purchase history, home address, age/birthdate, Internet browsing habits, GPS-captured driving routes (e.g., Google Maps, Waze), and Netflix, Hulu, or Amazon Prime viewing history being sold or leaked without your knowledge or permission? Not only are you often paying a provider for a particular service, but in some instances, these companies are selling your private user data to make even more money off of you. And you’re paying them to do so! How incredulous a concept.
Does it also bother you to think that software developers working with Google’s Application Program Interface (API) have been given rights to read your personal emails without your consent? Well, actually you did agree to this practice when you vaguely glossed over their Terms of Service agreement. Or did you just skip it completely and falsely acknowledge that you read it like so many of us do? It has been said that the biggest lie in Tech is that, “I’ve read and understood the Terms of Service.”
Is it bothersome to you that Facebook has been so careless with your private user data time and time again over the years with your personal photos, videos, and status updates to the point where Facebook has even reset the security settings on your account without notifying you that they had done so and left your account exposed for anyone to view? Does it bother you that Mark Zuckerberg seems to only care about making a profit off your use of Facebook and could care less about your privacy rights? Do you actually understand how Facebook makes its profits? It has been demonstrated repeatedly that Facebook sells access to third-party vendors to view your browsing habits via Facebook cookies that follow your Internet browsing activity even after you’ve closed the Facebook website. You could even completely close and re-open your Internet browser and the Facebook browser cookies will still be there unless you’ve blocked or deleted them. Of course, Facebook also makes a fortune from tailored-interest marketing ads served up to its 2.27 billion users as of 3rd quarter 2018.
If none of this bothers you, then please close this tab on your browser and don’t bother reading any further. However, if you care at all about your individual privacy rights, then these examples should serve as a wake-up call for action. In America, citizens have two options to effect change in corporate behavior. Either we as citizens convince Congress to pass comprehensive privacy legislation, which seems an unlikely prospect as Congress appears to be incapable of passing any meaningful bipartisan legislation due largely to their being in bed with the tech firms that are lobbying on their behalf. The other option we as citizens and consumers of corporate products have is the power of the wallet, which is to say that we vote our conscious with our collective consumer power.
If enough people were to stop using these unscrupulous corporate services it cuts them off financially, and the companies begin to feel the financial pinch. Trust me, they are acutely attuned to their financial well-being. Drastic changes will ensue whenever corporate financial desperation sets in. CEOs, CFOs, board of trustee members, and investors begin to get nervous, stocks start to plunge, and finally, just maybe the CEO of the targeted company begins to finally understand that either they change their ways and begin listening to their customers or they go bankrupt. Take your choice. For a company as large and deeply ingrained in our culture as Facebook to feel the effects, however, it would take far more than just its American user base to quit using Facebook to incite real change. Zuckerberg and company would definitely notice if American users dropped off drastically and changes would likely ensue, but a global trend from its over 2 billion user base would be needed to truly change mindsets. Facebook will also likely have to get rid of founder and CEO Mark Zuckerberg and replace him with more privacy and security-conscious CEO.
AI Systems & Privacy
AI is one of the big buzzwords in cybersecurity and Big Tech right now. Everyone’s talking about it, writing about it, and imagining how it is going to solve all of the world’s problems much like some think that Blockchain and cryptocurrencies will. Let me be clear, it will not. Soon, whether you want to or not, we will all be forced to deal with Artificial Intelligence (AI) systems in many different aspects of our lives as it will become quite ubiquitous. This is despite the fact that a 2017 Genpact poll of 5,179 Americans and Brits found that “nearly two-thirds of consumers are worried that AI is going to make decisions that will impact their lives without their knowledge.” Corporations and governments will force AI on people whether they like it or not in the name of efficiency and cost-savings, much like airlines are forcing people into smaller airplane seats with less and less legroom every year. Whether they realize it or not, many people already have AI systems in their homes and through their Internet-connected smartphones. Google Assistant is AI technology that can be programmed to verbally sound just like a human with our awkward speech patterns and tonal inflections to the point where you probably wouldn’t know that you were even speaking to a non-human AI system. It’s scary how real and human-like Google’s AI sounds.
If you are under the false impression that Big Data tech firms actually respect your individual right to digital privacy, then I hate to be the one to break it to you but you’re sadly mistaken. Read their privacy policies since you probably didn’t bother doing so before. You’ll quickly understand.
AI represents a threat to both security and privacy in that could potentially steal your personal identity if it can quickly fetch all your personal account details across multiple websites, Internet platforms, and even illegally impersonate your voice. Sure, it’s fine when the AI technology studies your voice by listening to all of your verbal commands to your Home Assistant and phone conversations so it can order you Thai food all by itself in your voice, but what happens when that same AI system is hacked and used illegally by cybercriminals to call your bank and wire money to another account, take out a personal loan, or call your home security provider to let them in your house while you’re out-of-the-country on vacation? Shit just got real now, right?
But I ask you again, how do you think these types of companies make their profits? From you using their “free” email, entertainment viewing, and other services? These companies are not dumb, they’re doing everything they possibly can to market every aspect of you, your identity, and your data to turn a profit and maximize the popularity of their products. These companies, the Googles, Facebooks, Twitters, Apples, Amazons, and Microsofts of the world, will publicly decry the importance of data privacy and then turn around and provide massive amounts of money to lobby against U.S. data privacy regulations at both the Federal and State levels. They want customers to think that they have their best interests in mind, but don’t be fooled. Greed is the name of the game. Why the fuck do you think they’re charging $1000 for the latest cell phone? The passage of newer, stricter privacy laws will hurt their businesses. They are terrified that privacy regulations such as the European Union’s (EU) General Data Protection Regulation (GDPR) will take root in the U.S.
“We want better digital privacy for our customers because they demand so, we just aren’t sure how to give them what they want and stay in business! We [Big Tech] want stricter privacy laws too, but let’s not go so far as to implement GDPR in America!” ~ me paraphrasing
These companies stand to lose a significant amount of money if new, stricter privacy laws become reality, so expect Big Tech and the advertising and marketing industry to fight any new privacy legislation by challenging any such law in court. This fight over your personal data protection will occur at every level of the government and the court system, and at every step in the process to protract it out as long as possible and to delay effects. It is highly probable that any new American privacy laws will ultimately be decided in the Supreme Court of the United States after all of the appeals. Of the nine Justices, Neil Gorsuch and Bret Kavanaugh are Trump-appointed. With the Trump presidency in only its second year and the aging Supreme Court Justices, the U.S. stands to see even more Trump-appointed Justices if Trump is reelected in 2020. U.S. history has demonstrated that the party in power (i.e., Democrats or Republicans) will stack the deck in their favor to get more laws passed by appointing new Justices that support their beliefs even though they’re supposed to be non-biased.
“We collect information to provide better services to all our users — from figuring out basic stuff like which language you speak, to more complex things like which ads you’ll find most useful, the people who matter most to you online, or which YouTube videos you might like. The information Google collects, and how that information is used, depends on how you use our services and how you manage your privacy controls.
When you’re not signed in to a Google Account, we store the information we collect with unique identifiers tied to the browser, application, or device you’re using. This helps us do things like maintain your language preferences across browsing sessions.
When you’re signed in, we also collect information that we store with your Google Account, which we treat as personal information.”
“Hey, Who Cares Anyway — I Don’t Have Anything to Hide?”
“The information we collect includes unique identifiers, browser type and settings, device type and settings, operating system, mobile network information including carrier name and phone number, and application version number. We also collect information about the interaction of your apps, browsers, and devices with our services, including IP address, crash reports, system activity, and the date, time, and referrer URL of your request.
A quick summary of analysis: WTAF? Why does Google need to know the unique identifying characteristics of the device you’re connecting from to include the settings you have on the device?; Chrome, Firefox, Edge, or other browsers?; what mobile carrier you’re using and your phone number; application version #; how your apps/browser/devices interact with Google services; they collect the IP address you connect from; what’s happening on your operating system in the background and of course the date/time you’re using their services- always, every time you connect. Good Lord Sir, why on God’s green Earth is all of this data collection necessary and what are you doing with it Google? So, I can see how some of that information is useful to Google in how it relates to interaction with their services and products, but it seems a bit overboard does it not?
If you use Google, I highly recommend that you that go into your account control settings, navigate to the “Personal info & privacy” section, and select “CREATE ARCHIVE.” Then, and only then, will you acquire a real sense of just how much data one company [Google] collects on you. Just look at all of those applications that you probably use which Google has been archiving your usage of. “Oh, joy!” How delightful and thoughtful of Google to do that for us, right? What could you possibly do with all of this data? Well, folks, this is where the monetization aspect comes into play with respect to Google collecting massive amounts of user information and selling it to marketers. But the rabbit goes much deeper…
We collect information about your activity in our services, which we use to do things like recommend a YouTube video you might like. The activity information we collect may include:
Terms you search for; Videos you watch; Views and interactions with content and ads; Voice and audio information when you use audio features; Purchase activity; People with whom you communicate or share content; Activity on third-party sites and apps that use our services; Chrome browsing history you’ve synced with your Google Account.
Google is keeping track of your search history to market products and services to you. HINT: Use https://duckduckgo.com instead, it’s completely free like Google but they don’t log your search history and block advertising trackers. Wow, so Google also keeps a tally of which videos and music you like to watch and listen to on YouTube so they can “recommend a YouTube video you might like.” I would like to choose for myself actually. Google also keeps track of your purchase activity, this is something that we can pretty much guarantee is shared with their marketing research partners. Remember the AI system running in the background of your Home Assistant? Yeah, well it overheard the intimate conversation you had last night with your girlfriend about that trip you want to take her on to the Bahamas. Standby for ads in your feed and search results for the Bahamas! We got you, man! Google is there for your every need, even those you didn’t think you needed. But wait, there’s more.
If you use our services to make and receive calls or send and receive messages, we may collect telephony log information like your phone number, calling-party number, receiving-party number, forwarding numbers, time and date of calls and messages, duration of calls, routing information, and types of calls. We collect information about your location when you use our services, which helps us offer features like driving directions for your weekend getaway or showtimes for movies playing near you. Your location can be determined with varying degrees of accuracy by: GPS; IP address; Sensor data from your device; Information about things near your device, such as Wi-Fi access points, cell towers, and Bluetooth-enabled devices.
Ok, so now Google might as well be the National Security Agency (NSA) or the Central Intelligence Agency (CIA) with the amount of information they’re collecting on you right? Holy smokes! Who are you, Jason Bourne? Call logs, dates/times, GPS locations from cell towers, and Wireless Access Points (WAP). This is some scary, next-level type of cyberstalking capability here. This is the kind of stuff Hollywood movies are made of, only it is 100% real life. If the authorities had a due cause, they could get a warrant requiring Google to grant them real-time access to all of this data about you and your use of Google’s services. But wait, there’s still more.
The types of location data we collect depend in part on your device and account settings. For example, you can turn your Android device’s location on or off using the device’s settings app. You can also turn on Location History if you want to save and manage your location information in your account.
In some circumstances, Google also collects information about you from publicly accessible sources. For example, if your name appears in your local newspaper, Google’s Search engine may index that article and display it to other people if they search for your name. We may also collect information about you from trusted partners, including marketing partners who provide us with information about potential customers of our business services, and security partners who provide us with information to protect against abuse. We also receive information from advertisers to provide advertising and research services on their behalf.
It has recently come to light in a failed attempt to redact a public court document that Facebook considered selling access to its over 2 billion-strong set of user data. On one hand, it’s easy to see why many FB users are reluctant to quit the service, it’s free and convenient; it’s where they’ve grown to communicate with all of their friends and family; get their “fake” newsfeed from; get some of their entertainment from; coordinate events; partake in social groups, and store a metric crap-ton of their personal media such as photos and videos. In many ways, Facebook is a lot like Google in the massive amount of information it collects and stores for users.
Featured Privacy Tactics, Techniques, & Procedures
Bulletproofing your digital identity and privacy are admittedly next to impossible tasks to accomplish in today’s highly digitized and connected world. However, as I have mentioned throughout this series there are TTP that you can apply individually to better protect yourself and make yourself virtually untraceable. If you’ve followed along in the series, you’ve probably heard me refer to this as making yourself a hard target. It’s akin to hardening a device or computer system. The thought is that if you make it harder for people, companies, or organizations to track you digitally or even physically, then they will give up and seek easier prey which is plentiful in a field of sheep.
Remember, you are a wolf, not a sheep. You have to actively protect your personal information so that others cannot use it against you in some way. This isn’t just about stopping Facebook and Google from knowing what you’re looking at online, this goes much deeper than that. This is about a lifestyle choice, it’s about staying safe and out of reach from danger. There are readers whose lives depend on laying low, readers who have ex-husbands or criminals actively trying to hunt them down. For many people reading this, becoming virtually untraceable is not a game or some novel concept that we can sit around pontificate about. It is life and death! This is serious shit. You would do well to treat your privacy seriously as well because one day it could become a life or death matter for you also. Don’t wait until then to get in the habit…
One tip I like to tell people is to turn off your computer and devices when you’re not using them. Shutting your devices and computers down narrows the window of opportunity attackers or malware has to compromise your system. “What’s that? That’s just security through obscurity?” Nope, nice try all you security experts out there, this is simply about being smart. Think of it like this. If you’re in a gunfight, are you going to unnecessarily expose yourself to enemy fire if you don’t absolutely have to for the sake of the mission or to save your or someone else’s life? I am guessing not. That’s exactly what you’re doing though when you leave your systems online connected to the Internet 24–7–365.
A successful “hack” of another person’s computer or corporate network typically involves scanning the system for vulnerabilities, OS types, application version numbers, and such before the attacker customizes exploits. It’s harder to do that if the system is unreachable and thereby un-scannable when not in use. That being said, you still need to patch your software and devices regularly (designate a patch day every month for all of your computers and devices) or this security tip becomes useless and then it really does become what we call security through obscurity in the information security realm.
Unless you have Remote Desktop Connection and “Wake On LAN” enabled on your Windows PC, there is very little chance an attacker can remotely power on your home computer. However, you should also know that your computer isn’t necessarily “powered off” when you turn it off by the way. Depending on your PC settings, shutting down your PC may only be sending it into hibernation or a power-saving sleep mode. Check your computer’s settings because making your computer more of a ‘hard target’ is what this is all about. No matter what anyone tells you, if your computer is truly powered off, it will not be visible from the Internet and therefore, it is less likely to become victim to any type of network attack. That being said, this action alone will not protect your devices/computers so don’t rely on it single-handedly as a sole precautionary security measure as I have mentioned.
As soon as you power back on and re-connect to the Internet, the cyber threats are immediately back in full effect. Think of this strategy as merely another part of your overall defense-in-depth security strategy along with anti-virus/malware software, frequent software patching, a properly configured firewall, a paid-service Virtual Private Network (VPN), browser cookie blocker (e.g., Privacy Badger), or an anonymous browser such as Tor or Freenet, etc. You might also save some electrical utility costs and usage life on your devices by not running them constantly.
Another site that you will definitely want to check out if you haven’t already is www.privacytools.io. This site is a goldmine of privacy-related information and a lot of good privacy tools for you to check out as well. It maintains a list of VPN providers located OUTSIDE OF THE U.S. that do not collect browsing data on customers using their services. The fact that they are not located in the U.S. is important because that protects your VPN use from the prying eyes of the U.S. government. The Privacy Tools site also has a list of privacy-conscious email providers and search engines featuring services such as ProtonMail and DuckDuckGo that I’ve previously covered in this series.
Be sure to check out the new “Brave” browser which is based on Chromium.
Low-Tech Security: Evasion and Anonymity Tip
“Be extremely subtle, even to the point of formlessness. Be extremely mysterious, even to the point of soundlessness.” — Sun Tzu
Be very careful about what you throw away in the trash. You never know who is digging through your garbage, especially with the increasing homeless population in the nation. It might surprise you to learn that the military has counter-Intelligence teams that randomly perform “dumpster diving” outside organizational buildings to see what types of information they can find in the trash. Oftentimes, they find some really juicy stuff like unit “alpha” rosters with everyone’s name, SSN, home addresses, DOBs, etc. Other times they actually find classified information and then it turns into a full-blown security investigation because someone didn’t follow proper destruction protocols.
Some operational security (OpSec) best practices are to invest in a good crosscut shredder, but those can be expensive and ineffective when they break or don’t do a sufficient job. A better destruction method is to burn any sensitive paperwork instead of throwing it away in the trash. I’ll admit that burning sensitive materials is not the greatest for the environment, but when it comes to security it is best not to leave any risk that someone may be able to re-connect the dots later on. In colder months, I will make fires in the fireplace to keep the house warm anyway and what I try to do is to collect any sensitive materials in a “Burn Bag.” I burn the contents of the burn bag whenever it gets full, but I am careful to do it slowly so that every piece of paper is fully burned. If there is a need to burn documents during the warmer months, we have a burn pit in the backyard for when we have company and I’ll throw the sensitive documents in that on occasion as well.
Well, that does it for this newsletter. If you enjoyed the read remember to upvote, clap for, or re-tweet the article to let me know someone liked it, please. Until next time, and remember this mantra to live by for those seeking to become virtually untraceable which I’ve taken the liberty to modify slightly since my last installment for added effect:
***Trust No One. Verify Everything. Leave No Trace.***
Additional Privacy Resources
*Privacy-related articles also published by the author can be found here.