Privacy Guides

The video discusses the privacy concerns associated with SIM cards in mobile phones, highlighting three main reasons to be cautious. First, it explains how SIM cards enable constant location tracking through communication with cell towers. Second, it delves into the autonomy of SIM cards, particularly proactive SIMs that can send hidden messages to the cell network without the user's knowledge. Lastly, it explores the potential risks of having too much control centralized on a single device, particularly in terms of split tunneling with VPNs.

Then Naomi shares personal reasons for not using a SIM card in her phone, emphasizing alternatives such as relying on WiFi, using an anonymous Calyx hotspot, or considering mobile hotspots. The benefits of these alternatives include increased privacy, the ability to control VPN usage, and reduced exposure to potential hidden messages sent by SIM cards. The video also touches on potential downsides, such as the need to carry multiple devices and potential connectivity issues when using hotspots.

TL;DR version:

Several popular iOS apps, including Facebook, LinkedIn, TikTok, and Twitter, have been found to be collecting user data through notifications, even when the app is closed, according to tests conducted by security researchers at Mysk Inc. The data collected includes IP addresses, device information, and other identifiable details, which can be used for targeted advertising and tracking purposes. While some of the companies involved have denied the allegations, the researchers claim that the data collection is unnecessary for notification processing and appears to be related to analytics and tracking. The issue is believed to be widespread among iOS apps, and Apple's lack of enforcement of its own privacy rules has been criticized. Upcoming changes to the iPhone operating system's rules may help address the problem, but it remains to be seen how effectively they will be enforced.

Mitigating the issue:

• According to a reply from the researchers under their video:

Disabling the notifications prevents this from happening, but you have to toggle the option "Allow Notifications" of the app off. Allowing the notifications while disabling the alerts isn't enough.

• Another article from BleepingComputer similarly notes that:

iPhone users who want to evade this fingerprinting should disable push notifications entirely. Unfortunately, making notifications silent will not prevent abuse. To disable notifications, open 'Settings,' head to 'Notifications,' select the app you want to manage notifications for and tap the toggle to disable 'Allow Notifications.'

Link to the researchers' original post on Mastodon: https://mastodon.social/@mysk/111816751385137545

cross-posted from: https://lemmy.world/post/11117839

Fossify Phone (fork of Simple Dialer) has been released on F-Droid.

Fossify Gallery (fork of Simple Gallery), Fossify File Manager (fork of Simple File Manager) and Fossify Calendar (fork of Simple Calendar) are also available for download on F-Droid, with more to come.

(ICYMI: Simple Mobile Tools suite was acquired by an adware company and their apps on the Google Play Store now contain trackers and unnecessary permissions. This report from Exodus shows that the old version of Simple Gallery had 0 trackers and 10 permissions, whereas the app, after sale, contains 9 trackers and 21 permissions!)

About Fossify: Fossify is all about community-backed, open-source, and ad-free mobile apps. A fork of the SimpleMobileTools, which is no longer maintained, and we’re here to continue the legacy, bringing simple and private tech to everyone.

Apple today launched a new tool for iPhones to help reduce what a thief with your phone and passcode can access. The feature, called Stolen Device Protection, adds extra layers of protection to your iPhone when someone tries to access or change sensitive settings on your device.

ill intall graphene os, i just need my carrier to unlock it first. for now though, what can i do to make it as private as i can?

The article provides a comprehensive overview of the risks associated with targeted ads and malvertising. It offers insights into the different ways malvertising can be carried out and how it can appear on any advertisement on any website, including popular ones. It cites examples of high-profile malvertising cases involving major companies and platforms. The article also highlights the dangers of malicious scripts that can be downloaded without user interaction and discusses the potential risks of scams and phishing.

The article provides clear and actionable advice on how to mitigate these risks, such as blocking ads and associated scripts, using adblocking software like uBlock Origin, and employing DNS resolvers capable of blocking malware and ads.

It also offers guidance on what to do when blocking ads is not possible, emphasizing the importance of avoiding clicking on displayed advertisements and being cautious of too-good-to-be-true offers.

Overall, the article is well-researched, informative, and provides a resource for understanding the risks of targeted ads and malvertising.

cross-posted from: https://lemmy.world/post/11003492

Excerpts from the article and another article by the Electronic Frontier Foundation (EFF) :

While Meta won’t collect messages themselves, there is nothing stopping them from collecting metadata on those very messages.

By design, Meta has access to a lot of unencrypted metadata, such as who sends messages to whom, when those messages were sent, and data about you, your account, and your social contacts. None of that will change with the introduction of default encryption.

Meta has a reputation for collecting its users’ data: a key part of its lucrative advertising business. In fact, last year, the company earned a US $1.3 billion fine from European Union regulators for transferring EU citizens’ Facebook data to the United States.

Meta’s documentation indicates the company will continue to process messages’ metadata: what time a message was sent, for example, and who sent it to whom. The company says it will use metadata to help identify bad actors. Privacy advocates see this use case as evidence metadata can make a double-edged sword.

“This also demonstrates how much can be inferred from behaviors and metadata without needing access to the actual contents of messages themselves,” says Geraghty. “So we have to ask: What could Meta be using this data for additionally? It’s likely this metadata will be used to continuously enrich user profiles for targeted advertising purposes.”

Hi, I'm on Windows 10 at home and Windows 11 at work. I'm going to migrate to Linux for my next PC (might eventually do it on this one, though I've currently done so many tweaks that I intend to keep this for gaming for now). Our two laptops and mini-PC already run Linux Mint, but I digress... (I just don't want anyone to think I'm totally unaware of the problems with Windows and Microsoft.)

My uses for a webcam are:

• Streaming with friends (sharing games and video feed, playing Jackbox games, chatting, etc.)

• Playing Magic the Gathering via Spelltable (so it needs to be able to be positioned facing my playmat and good enough quality to detect the cards)

• Video call with family and friends

• Occasional use for presenting professional webinars (during occasions when I have to work from home)

• Occasionally pre-recording work-related content that will be publicly viewable

• Use with OBS virtual camera

At work, I use a Logitech camera that my employer provided me with OBS software. It's an older model, but I'm not sure of model number or anything off the top of my head. It's not the best, and I'd like something a bit better at home.

At home, I was using a similar Logitech camera, but a year ago I decided to upgrade and purchased the Razer Kiyo Pro. What a mistake! Every time this camera gets plugged in, it prompts me to install Razer Synapse. It even puts the installer directly on my hard drive without my permission!

I've saved up a bit, and I'd like to try again with a different camera, one that doesn't push its proprietary software on me. I was considering Logitech, but iirc Logi's newer models also do the same thing. Or is this wrong?

Either way, I'd be so grateful if someone could recommend a reasonably high quality budget camera in the ~$100 range. I could go up to maybe $125, but after that it would start to really hurt.

I've done a lot of searching myself, but it turns out it's pretty hard to find a camera that doesn't either require or constantly push its proprietary software, and apparently some people [checks notes] like the proprietary software being shoved at them???

Anyway, I'd be so thankful if you could help. This community helped me so much before when I needed a modem and router to escape the clutches of my IP, so I thought maybe someone would have some advice.

I have a google pixel, and I know I could install grapheneOS on it. But I'm very, very hesitant, since I depend so much on my phone.

This isn't like distro hopping, where I feel more comfortable hot swapping ssds, or making partitions, or using my desktop while I tinker with my laptop. My phone has a SIM and the service I depend on can't be emulated off this phone.

So what do you recommend I do? Should I move my SIM (my phone service, really) to a new phone while I tinker with this one? Can I just blow up the current OS and wing it? Or maybe theres another option that would allow me to bail back to stock android in case something goes wrong. What do you think?

EDIT: how I use my phone: about everything I use is from fdroid, with the occassional app from aurora. I do use my banking app to cash checks, but I don't use whatsapp, google pay, which I know arent compatible. So as far as app compatibility I dont think it'll be a problem, Im mostly worried about my phone number not working. I dont know how SIMs work like I should, I just know Ive had the strangest issues in the past with it, so Im hesitant. Thanks for the replies so far.

Full text from the Electronic Frontier Foundation (EFF) article:

Companies Make it Too Easy for Thieves to Impersonate Police and Steal Our Data

By Matthew Guariglia and Eva Galperin

~3 minutes

For years, people have been impersonating police online in order to get companies to hand over incredibly sensitive personal information. Reporting by 404 Media recently revealed that Verizon handed over the address and phone logs of an individual to a stalker pretending to be a police officer who had a PDF of a fake warrant. Worse, the imposter wasn’t particularly convincing. His request was missing a form that is required for search warrants from his state. He used the name of a police officer that did not exist in the department he claimed to be from. And he used a Proton Mail account, which any person online can use, rather than an official government email address.

Likewise, bad actors have used breached law enforcement email accounts or domain names to send fake warrants, subpoenas, or “Emergency Data Requests” (which police can send without judicial oversight to get data quickly in supposedly life or death situations). Impersonating police to get sensitive information from companies isn’t just the realm of stalkers and domestic abusers; according to Motherboard, bounty hunters and debt collectors have also used the tactic.

We have two very big entwined problems. The first is the “collect it all” business model of too many companies, which creates vast reservoirs of personal information stored in corporate data servers, ripe for police to seize and thieves to steal. The second is that too many companies fail to prevent thieves from stealing data by pretending to be police.

Companies have to make it harder for fake “officers” to get access to our sensitive data. For starters, they must do better at scrutinizing warrants, subpoenas, and emergency data requests when they come in. These requirements should be spelled out clearly in a public-facing privacy policy, and all employees who deal with data requests from law enforcement should receive training in how to adhere to these requirements and spot fraudulent requests. Fake emergency data requests raise special concerns, because real ones depend on the discretion of both companies and police—two parties with less than stellar reputations for valuing privacy.

cross-posted from: https://lemmy.world/post/10958052

Vanguard, the controversial anti-cheat software initially attached to Valorant, is now also coming to League of Legends.

Summary:

The article discusses Riot Games' requirement for players to install their Vanguard anti-cheat software, which runs at the kernel level, in order to play their games such as League of Legends and Valorant. The software aims to combat cheating by scanning for known vulnerabilities and blocking them, as well as monitoring for suspicious activity while the game is being played. However, the use of kernel-level software raises concerns about privacy and security, as it grants the company complete access to users' devices.

The article highlights that Riot Games is owned by Tencent, a Chinese tech giant that has been involved in censorship and surveillance activities in China. This raises concerns that Vanguard could potentially be used for similar purposes, such as monitoring players' activity and restricting free speech in-game.

Ultimately, the decision to install Vanguard rests with players, but the article urges caution and encourages players to consider the potential risks and implications before doing so.

cross-posted from: https://lemmy.world/post/10939423

About Platform Tilt:

This dashboard tracks technical issues in major software platforms which disadvantage Firefox relative to the first-party browser. We consider aspects like security, stability, performance, and functionality, and propose changes to create a more level playing field. Further discussion on the live issues can be found in our platform-tilt issue tracker.

Mozilla's blog post:

Browsers are the principal gateway connecting people to the open Internet, acting as their agent and shaping their experience. The central role of browsers has long motivated us to build and improve Firefox in order to offer people an independent choice. However, this centrality also creates a strong incentive for dominant players to control the browser that people use. The right way to win users is to build a better product, but shortcuts can be irresistible — and there’s a long history of companies leveraging their control of devices and operating systems to tilt the playing field in favor of their own browser.

This tilt manifests in a variety of ways. For example: making it harder for a user to download and use a different browser, ignoring or resetting a user’s default browser preference, restricting capabilities to the first-party browser, or requiring the use of the first-party browser engine for third-party browsers.

For years, Mozilla has engaged in dialog with platform vendors in an effort to address these issues. With renewed public attention and an evolving regulatory environment, we think it’s time to publish these concerns using the same transparent process and tools we use to develop positions on emerging technical standards. So today we’re publishing a new issue tracker where we intend to document the ways in which platforms put Firefox at a disadvantage and engage with the vendors of those platforms to resolve them.

This tracker captures the issues we experience developing Firefox, but we believe in an even playing field for everyone, not just us. We encourage other browser vendors to publish their concerns in a similar fashion, and welcome the engagement and contributions of other non-browser groups interested in these issues. We’re particularly appreciative of the efforts of Open Web Advocacy in articulating the case for a level playing field and for documenting self-preferencing.

People deserve choice, and choice requires the existence of viable alternatives. Alternatives and competition are good for everyone, but they can only flourish if the playing field is fair. It’s not today, but it’s also not hard to fix if the platform vendors wish to do so.

We call on Apple, Google, and Microsoft to engage with us in this new forum to speedily resolve these concerns.

Quote from the article:

People are aware of selfie cameras on laptops and tablets and sometimes use physical blockers to cover them,” says Liu. “But for the ambient light sensor, people don’t even know that an app is using that data at all. And this sensor is always on. Liu notes that there are still no blanket restrictions for Android apps.

Remark added by me:

Here, it might interest readers to know that unlike Stock Android, GrapheneOS (GrapheneOS is an Android-based, open source, privacy and security-focused mobile operating system for selected Google Pixel smartphones) provides a sensors permission toggle for each app. According to their website:

Sensors permission toggle: disallow access to all other sensors not covered by existing Android permissions (Camera, Microphone, Body Sensors, Activity Recognition) including an accelerometer, gyroscope, compass, barometer, thermometer and any other sensors present on a given device. When access is disabled, apps receive zeroed data when they check for sensor values and don't receive events. GrapheneOS creates an easy to disable notification when apps try to access sensors blocked by the permission being denied. This makes the feature more usable since users can tell if the app is trying to access this functionality.

To avoid breaking compatibility with Android apps, the added permission is enabled by default. When an app attempts to access sensors and receives zeroed data due to being denied, GrapheneOS creates a notification which can be easily disabled. The Sensors permission can be set to be disabled by default for user installed apps in Settings ➔ Privacy.

In conclusion, allow me to emphasize another quote from the article:

“The acquisition time in minutes is too cumbersome to launch simple and general privacy attacks on a mass scale,” says Lukasz Olejnik, an independent security researcher and consultant who has previously highlighted the security risks posed by ambient light sensors. “However, I would not rule out the significance of targeted collections for tailored operations against chosen targets.” Liu agrees that the approach is too complicated for widespread attacks. And one saving grace is that it is unlikely to ever work on a smartphone, as the displays are simply too small. But Liu says their results demonstrate how seemingly harmless combinations of components in mobile devices can lead to surprising security risks.

We can also break down users by country. The largest contingent of Snowflake users are in Iran, which has been the case since the Mahsa Amini protests in 2022 1. The graph shows also a large number of users apparently from the United States, but we believe that may be partly the result of geolocation errors, and many of them are actually from Iran. After Iran, the countries with the most Snowflake users are Russia and China.

I want to set up a RSS feed for me to subscribe to some websites. I am a newbie and never used RSS before. I found Raven Reader, which is open source. But I don't know of it's trustworthy, too.

I would also be grateful for information on how safe it is to use RSS in general concerning privacy, e.g. can my feed be tracked from websites?

cross-posted from: https://sopuli.xyz/post/8117983

I have a pair of Bluetooth headphones, which I have been using since 2022. Today, I was sitting on the bus when some random person connected to them and started playing Free Bird.

It was a bit funny, but I don't want this to become a regular thing. Is there a way of locking the headphones to certain Bluetooth addresses? Or a way of making it not show up automatically on phones (similar to a hidden WiFi network)?

The headphones in question are the JBL Tune 510, which have a USB-C port. However, I don't know if this can be used to flash firmware.

If there's already a comment telling me to "just use wired" or something, please don't tell me again. It's the best solution, but my phone doesn't have a headphone jack (fuck you, Apple).

Thanks!

The article lists settings to change on Android 14 and iOS 17.

According to the author:

Recommended setting changes reduce the amount of data submitted to device manufacturers, cell carriers, or app developers and improve device security against common threats, such as those posed by nosy people who find the device unattended or by common malware.

By enabling all of these settings, you are significantly reducing the amount of tracking and data collection these devices perform, but keep in mind that you are not completely eliminating it.

Summary:

The article debunks several common misconceptions related to software security and privacy:

"Open-source software is always secure" or "Proprietary software is more secure"

First, it clarifies that whether software is open-source or proprietary does not directly impact its security. Open-source software can be more secure due to transparency and third-party audits, but there is no guaranteed correlation. Similarly, proprietary software can be secure despite being closed-source.

"Shifting trust can increase privacy"

Second, the concept of "shifting trust" is discussed, emphasizing that merely transferring trust from one entity to another does not ensure complete security. Instead, users should combine various tools and strategies to protect their data effectively.

"Privacy-focused solutions are inherently trustworthy"

Third, focusing only on privacy policies and marketing claims of privacy-focused solutions can be misleading. Users should prioritize technical safeguards, such as end-to-end encryption, over trusting providers based on their stated intentions alone.

"Complicated is better"

Lastly, the complexity of privacy solutions is addressed, encouraging users to focus on practical, achievable methods rather than unrealistic, convoluted approaches.