(   )
                          (    )
                           (    )
                          (    )
                            )  )
                           (  (                  /\
                            (_)                 /  \  /\
                    ________[_]________      /\/    \/  \
           /\      /\        ______    \    /   /\/\  /\/\
          /  \    //_\       \    /\    \  /\/\/    \/    \
   /\    / /\/\  //___\       \__/  \    \/
  /  \  /\/    \//_____\       \ |[]|     \
 /\/\/\/       //_______\       \|__|      \
/      \      /XXXXXXXXXX\                  \
        \    /_I_II  I__I_\__________________\
               I_I|  I__I_____[]_|_[]_____I
               I_II  I__I_____[]_|_[]_____I
               I II__I  I     XXXXXXX     I
            ~~~~~"   "~~~~~~~~~~~~~~~~~~~~~~~~

Wed, 14 Aug 2019

Privacy is Dead

I was listening to a news radio story about a woman who tried to divorce herself completely from the big five tech companies (you can guess which ones), which did not go well. She found it was effectively impossible, given the hold these companies have on the internet. Many of us here in the gopher underground or on the small internet have done the same, but really how effective is it?

Looking at it from the perspective of simple email communications, once you start communicating with anyone on the mainstream internet, you run afoul of network infrastructure from one of the big five. Take Google - if you don't mind the pain of letting your friends and family know that you have switched email addresses, you can dump gmail for any number of privacy-conscious providers. So far so good. Now, remember when, a short time after gmail first rolled out, Google released "Google apps" - which at that time was free for small businesses and personal users? As a result many thousands (millions?) of people, small businesses and schools moved their email service to Google's platform. It was free, after all, and people were already comfortable with gmail's web interface, so why not? Fast forward to 2019, and try to send email to anyone else on the internet, and there is a _very_ good chance you will have to transit one of Google's MX hosts. So your brother's vanity domain is really hosted on gmail, as is your kid's school, and you go to work and process all your email in gmail because your company is using gapps. Your perfectly private email provider is only private if you email only people who also use it. Send an email to your brother? Google has it. Send an email to your kid's math teacher? Google has it. And they also probably have your name and phone number, and the IP address and device you routinely send email from. And they know a lot of your email contacts and what you talk about. Even if you never had a Google account, you can bet Google has a record for you somewhere. And it's not just Google that has your social network graph and personal details. After the Snowden revelations, we learned that none of us were paranoid enough.

And that sad state of affairs is just email - think about server hosting, public DNS (where I work we still find odd servers that resolve using 8.8.8.8 because a lazy admin set that up as a quick hack when a server was installed and never changed it to the proper internal nameservers), text messaging, instant messaging, and VOIP. The big five have a huge chunk of market share for those technologies.

So what is the alternative? You can try to convince your friends and family to stop using these services. Many of us have tried and failed. They have become an essential part of life for many, and they are not changing now. Unless you are in a position of authority or a business owner, your business won't move away from gapps. The company I work for uses gapps and also holds company meetings using Facebook ("Workbook"). For users of the walled gardens and associated apps, like Facebook messenger and Instagram, the social pressure to conform and use these services is enormous, and (in the case of an employer) often mandatory.

You can try to encrypt email or IM or text chats or phone calls. But the other end has to also do the same, and you have to be confident that the recipient's hardware or software is not compromised in some way. Just by virtue of them using a stock Android phone means they are not trustworthy. All of this is an almost impossible barrier to overcome, and I suspect many of us have given up. Sure, we can use LineageOS on our smartphones, or read mail using mutt over SSH on a VPS in the Netherlands, but at some point we'll have to hop out of our protective bubble and communicate with the greater internet. And when we do, we're owned.

posted at: 02:12 | path: / | permalink | big5, data, email, privacy, social