The Privacy Rabbit Hole

In my last issues I talked a bit about the Online Safety Act and the UK trying to introduce age verification pretty much anywhere that adults interact. This has led to the shutdown of online forums who either can't or are not willing to comply with this draconian law or them choosing to just block access to the UK.

Of course, it is not just the UK that this applies to, as other countries seem to think it is a great idea to allow websites to hold mass databases of user identities. What could possibly go wrong!

• Australia adding in age verification to social media for all users
• 25 US states also have age verification with more coming soon
• Other countries with existing laws

Currently, most countries are only limiting true adult content with age verification, but I doubt it will be long before they follow the UK's example.

All of this led me down a bit of privacy rabbit hole. I don't have anything to hide, but I still believe privacy is a human right.

Why privacy matters is a good read on this.

For normal users like myself, I don't need to worry too much about staying completely anonymous when online. At the end of the day, most of my online activities are under my own name anyway.

Threat Model #

If you aren't trying to hide from the FBI, NSA, MI5 or some other 3 letter acronym agency then your “threat model” is probably quite similar to mine.

These are my key concerns:

• I never want to give a company a copy of my identity (passport, driving licence or ID card) unless it is strictly necessary. I can understand for banking to prevent money laundering or for accessing government or medical services, but I am not doing it to access social media or any other user forums or websites. If Netflix starts asking for my ID I will just take my money elsewhere.
• I don't want anyone reading my private messages or phone calls that I have with my wife, family, or friends. I expect that conversation to stay as private as if I had had it in person. The thought of the government or some corporate company reading or scanning my messages is just creepy.
• I don't want any of my files, emails, messages, or other personal information being used to train AI or used for advertising purposes.
• I don't want the government deciding what I can or cannot view as an adult on the internet (excluding illegal content). If I want to learn how to brew beer, I don't expect to be censored or blocked because it is not child appropriate.

My threat model is fairly simple so yours maybe different. It is up to you to work out what information you are concerned about and whether you are happy for that information to suddenly become public knowledge.

Solutions #

Given my simple threat model, the solutions are equally simple as well.

Saying no to ID verification #

In the UK if you want to sign up to social media or access forums without opening yourself up to identity theft then you can use a VPN. I use Mullvad (no affiliation) for this and I have been quite happy with them.

If you don't want to pay for a VPN then there is also Tor. Tor gets a bit of a bad reputation due to all the dark web websites for illegal activities. However, most people are just using it to avoid censorship in their country. It is also funded by reputable companies and the US government.

At some point we may even need to provide ID to watch age rated films on Netflix or any of the other streaming services. You might think this is unlikely, but Spotify has already started implementing this. If that happens I will just refuse to use their service and get my entertainment another way. Time to start buying DVDs and CDs again!

Private Messaging #

I am trying to get my family to stop using WhatsApp. Supposedly the messages are encrypted, but I am sure Meta has no issue adding a backdoor for the government. Given Meta's approach to privacy, anything that is not encrypted is fair game for advertising purposes such as whom you talk to and anything on your profile.

The main contender for private messaging is Signal. It is the most user-friendly of the lot and is even used by the US government to discuss military tactics.

It is not anonymous as you still need to provide a phone number, that is likely linked to your identity anyway, but it is enough to stop companies or the government scanning all your messages.

If you need true decentralised private anonymous messaging then it is worth checking out Briar. It is Android only though, so isn't a great option for chatting with friends and family. It is peer to peer and even works when the internet is down.

There are other technologies such as Meshtastic, MeshCore and Reticulum that can do decentralised messaging over LoRa (long range radio) and other networks. Even Jack Dorsey (who originally started Twitter) is getting in on this with BitChat. They are all quite niche and technical to set up and are mostly used for hobbyists. I think if the internet carries on the way it is going then these might become more popular.

The elephant in the room is email.

Email by its very nature is not private. It is the equivalent of writing on a postcard. Your email can be read by any server the email passes through (e.g. the sender and recipient inboxes).

In short, never send sensitive information over email.

There are ways to make email more private. For one, don't use Google, Outlook, Yahoo or any of the other companies that might want to scan you emails to train AI or for advertising.

If you want encrypted email then there is:

• Tuta — Your inbox is encrypted, and only you can read it. All emails to other Tuta users are encrypted, and you can send encrypted emails to others, but they will need to enter in a password to read it. You need to use the Tuta app or web client to access your emails. Of course any unencrypted emails you send or receive can still be read by the recipients' provider. Tuta use their own hybrid encryption algorithm.
• Proton — Similar to Tuta, your inbox is encrypted and only readable by yourself. Proton works using PGP, but again you need to use their apps or website to access your emails. You can send encrypted emails to non proton users, and again they will need to enter a password.
• Mailbox.org — A simpler option if you still want to use your existing mail app. They don't offer encryption as standard but do support encrypting your inbox with your own PGP key. Most mobile mail apps (at least on iOS) don't support PGP however and very few people use it.

Private Cloud File Storage #

If you are not in the UK and you use iCloud then the simplest way is to turn on Advanced Data Protection. This will encrypt your data with a key that you own, instead of a key that Apple own and can therefore read your data.

You can turn this on by going to Settings > Your Account Profile (e.g. Your Name) > iCloud > Advanced Data Protection.

If you are in the UK you will be greeted by this message:

Apple can no longer offer Advanced Data Protection (ADP) in the United Kingdom to new users.

This is because the UK wanted Apple to open a backdoor to their encryption and Apple refused (well done Apple). They did however disable ADP for UK users so they still have the ability to handover all your data to the government if asked.

The best option I have found for UK iOS users or those using other cloud storage like Dropbox, OneDrive or Google Drive is Cryptomator. It is free (at least for read only on iOS) on all devices and will encrypt all your files and file names which can be decrypted with a password.

This way you can make use of cloud storage without them being able to access your files.

Alternatively, you can host everything yourself and use something like Syncthing to sync files between all your devices. Syncthing is encrypted and peer-to-peer, so your data is never on a centralised server anywhere.

Avoiding censorship #

At the moment the easiest way to get around censorship is by using a VPN or Tor. Of course there may come a time when the internet as we know it just becomes unusable. I already get annoyed at all the cookie policies, adverts, and walled gardens as it is, not to mention the age verification. Websites have had to shut down to avoid the costs of having to comply with these laws.

However, whenever there is a centralised authority involved websites can just be shutdown at the source. Either the domain registrar blocks the domain, the hosting provider shuts down the site or the certificate authority refuses to issue certificates for it.

There are a few options. You can host an onion website on Tor. That don't have the easiest addresses but at least you don't need to pay for a domain and you can host from your computer.

I have also been looking into I2P which unlike Tor doesn't give access to the general internet (”clear web”) but only gives access to what they call eepsites. Most of the eepsites are just personal blogs or mirrors of existing websites, but it gives people another option to access information that could otherwise be censored.

Failing that, you could go completely off grid and run an internet in a box. This is essentially a web server that can only be accessed over Wi-Fi. There are various long range Wi-Fi devices that work point to point over long distances. If you have a bunch of friends that live within a few miles of each other you could set up your own web network.

You can then use Kiwix to download offline copies of Wikipedia or your favourite YouTube videos.

---

❤️ Picks of the Week #

📝 Article — Developing an alt text button for images on my website — If you have ever used Mastodon you will know how import alt text is to make the web more accessible. Often there is some good information in there as well if you can't work out the image. I like this idea of making the alt text easier to see on image.

📝 Article — Syncthing Eliminates File Sync Surveillance Through Mesh Architecture — I mentioned Syncthing this week and I have been using it for a few

👾 Game — Making Minecraft Spherical — I love the styling of this. I haven't played Minecraft in years, but this looks quite fun and the write-up on this is very well done.

📝 Article — If you have a Claude account, they're going to train on your data moving forward — If you are using a cloud AI you have to assume that any conversation you have is fair game for them to use. If you want private AI you will have to host it yourself using Ollama or LLMStudio.

📝 Article — Some users have noticed settings that let Meta analyze and retain phone photos — Probably worth adding delete your Facebook account to the list of privacy measures above!

📝 Article — The day Return became Enter (2023) — Trying to explain to my kids what a typewriter is interesting. There I knew "Return" was for carriage return for a typewriter, but there was some other interesting bits in this article I didn't know.

📝 Article — Hardening Firefox: a checklist for improved browser privacy — If you are still using Chrome then stop reading and change your browser now. I use Waterfox which has a lot of these set up by default. There are other browsers based off of Firefox that have hardened security such as LibreWolf and the Mullvad Browser.

📝 Article — Are we decentralized yet? — I didn't know about the Herfindahl–Hirschman Index, but I am not surprised that Bluesky scores so badly.

📝 Article — My phone is an ereader now — Part of me wants to try a dumb phone, but I have yet to make the leap. I think having one for family holidays could be a good idea though.

🎬 Video — Your $1000 phone needs our permission to install apps now — I can see there will be a point where we need two phones. One for banking and any app that requires an approved device and then maybe a Linux phone for everything else.

📝 Article — Notes on Managing ADHD — If you have ADHD then there is some good advice on this page. I can relate to a lot of these. After a long day at work I can often run out of spoons completely.

📚 Books — Vintage Macintosh Programming Book Library — I am not entirely sure how useful these books would be now as calling them dated would be an understatement. I quite liked looking at the retro covers though!

📝 Article — Use One Big Server (2022) — It is amazing how expensive AWS is for hosting. If you are doing anything computationally expensive it will always be cheaper hosting it yourself.

📝 Article — Nintendo Switch 2 Dock USB-C Compatibility — I watched the YouTube video on this the other day while washing up. I certainly won't be buying any more Nintendo consoles if they keep going down this route.

📝 Article — Next.js is infuriating — I have used Next.js at work and it was quite steep learning curve which was on top of React which is already a steep learning curve. I much prefer the alternatives like Vue or Svelte and if possible plain old HTML and CSS.

📝 Article — The staff ate it later — I am glad at least somewhere does this. I always think of the waste when I see these cake baking shows or where they make sculptures out of chocolate. Is anyone eating those? Obviously some cakes on “Nailed it” you eat at your own risk.

📝 Article — Making a Linux home server sleep on idle and wake on demand (2023) — It is a shame this is so hard to do. I have main server with all my media on that I only turn on when I need it and have scheduled to turn off every day. Anything to save on electricity.

📝 Article — This blog is running on a recycled Google Pixel 5 (2024) — I am tempted to host a website on something like a Raspberry Pi with a solar panel like this one: LOW←TECH MAGAZINE. A mobile is not a bad option as it has a built in battery.