Things I'm learning being new to privacy/anonymity/security

I’m new to privacy. I don’t have a lot of useful insights, but there are some things I’ve realized that I don’t really see talked about a lot, so I thought it would be nice to give more voice to these. Warning, but the biggest reason these aren’t discussed super often is because much of these are niche, but they were things I was surprised about, so my main goal is to make it so that people newer than me are not so surprised by these things.

1. It’s hard/inconvenient/under-discussed finding phone numbers for SMS verification

This has been the biggest surprise for me. It’s pretty easy to find solutions to hide your email address, your payment information, and your name. It’s much harder to do the same, or at least the information isn’t out there. This goes double, because a surprising amount of services will not let you register without a phone number. More than you think, and none of it by necessity. I’ll often find myself on a whim wanting to sign up for something, only to be stopped by a phone number prompt, and I’ll be scouring the internet to find a number I can use. The excuse is almost always for 2fa. Amazon is one of these services, which stinks because it’s cited on the Techlore youtube channel as well as others a a good way to receive packages anonymously. This phone number sign up issue isn’t brought up. I think I found a solution, but I haven’t tried it yet. It literally stops me from signing up to some things because I have no way to get a number for them.

2. Many online shops will not allow you to check out as a guest

Following up from the Amazon thing, you can’t check out as a guest on Amazon and many other websites. You must sign up, which again is a bummer considering how good Amazon lockers are supposed to be for privacy.

3. A lot of advice on privacy online seems to assume that you’re not being private in another way

This is difficult to explain. A good example is that it’s often said that when registering a new phone, it should be done far away from your home, and that optimally you would never be on your home wifi with that new phone. This is obviously very inconvenient, but also seems to smuggle in the idea that your home wifi isn’t secure. But there are ways to secure your home wifi. Changing your DNS, hardening your firewall settings, adding security to your switch and router, compartmentalizing what devices on your wifi network have access to which, changing your wifi name and passwords, adding guest wifis to you set up, etc. There isn’t really a lot of information out there on how necessary it is to never be on your wifi if you’ve done all this “hardening” because it seems like all info made on this subject assumes that no one does. My intuition is that there’s a lot of info on privacy that works like this, which makes it tough to know how to act if these things are being done. Like if you live somewhere and there’s no record that you live there, does it then matter for you to not turn on your phone near where you live if it’s assumed that you’ll use no location services while at home with your name attached to it? Answers tho things like these are hard to find.

4. Some privacy alternatives are so superior that you forget that others can be inferior

I used to be one of those people who would use the same few passwords for everything. I used to sign up for everything with a facebook/google log in. I used to give everything my one email address. The one most massive privacy/security combo that improved my quality of life is the password manager/alias email combo. The idea that it’s actually more convenient to not use the same password for everything is kind of mind blowing. I actually get no spam now too. I haven’t gotten a single piece of spam since changing email providers. So it surprises me that you can’t remove deleted contacts from Signal without blocking them, or you can’t have multiple phone numbers signed into the same phone on the same app for some reason or that you can’t change the names or pictures of contacts on Signal without linking Signal to your contacts, or add wallpapers to Signal Desktop. A lot of services in the privacy space are actually pretty bad about feature parity. I’m not really criticizing any of this, I get why it happens, it’s just something you’re not really prepared for until you’re in it.

5. Opsec is WAY more important than privacy/security software/services

Opsec (operation security = aka how you behave to be private and secure) is something I figured would just come with having all the software, but it doesn’t always. Forming good habits is. It’s easy to habitually make strong passwords when it’s built into your password manager, but using different browsers for different purposes, even when the one you use is good for privacy already, is something you have to train yourself to do. Once a habit is formed things are easy, but the surprising thing for me was that it doesn’t come naturally. If you get a private email address, but you don’t actually send emails privately, you’re not changing much. These are things I’m still learning about and figuring out, but it’s been really important for me to keep in mind. I just have really bad learned behavior when it comes to this stuff.

6. Privacy and anonymity and pseudonymity are similar, but different and those differences are important

I almost think that the topic “privacy and security” should be renamed “privacy, anonymity, pseudonymity, and security.” Privacy and anonymity are often grouped together because anonymity (and pseudonymity) can provide privacy, but they’re all different and I think its important to understand the differences and benefits.

Private = Particular access
Public = Universal access
Privacy = Control over particular access
Security = Ability to enforce particular access
Anonymity = Different general identity
Pseudonymity = Different specific identity

A good example of these differences and their importance is that accounts on this forum are likely pseudonymous for the most part, which aids in privacy, but they are not anonymous as there is an identity attached to them - just not yours. Browsing the internet on TOR is anonymous because there is no specific pseudonym attached to it or specific finger printable identity if you’re doing everything right. Instead, it’s the general “TOR” group identity. I don’t know if there are any services that actually have truly anonymous chats as you’d need to have it so that no one can tell for sure who is speaking, which would be annoying. Idk if even 4chan works like this.

Some of the Techlore guys have their names on here. Assuming they don’t use pseudonyms, because the forum is public, nothing they say here is private or pseudonymous. To that end, even when using a pseudonym, in some ways nothing you say here is private because your pseudonym is public. Your thoughts are public, but that they are your thoughts is private. There’s not a lot of emphasis on these differences and their importance. Especially anonymity vs pseudonymity. Most of the time that people use the word “anonymous,” pseudonymous is a better word. I think they’re all independently important, but anonymity and pseudonymity are things I didn’t really consider until I got more into this stuff.

7. “Publicity” is rarely talked about

It’s kind of assumed that everything should be the most private. The closest we get to a direct confrontation with how to deal with public things is the idea of threat modeling, but it deals more specifically with privacy even then. Even Edward Snowden does some things publicly, yet how operate publicly isn’t really discussed, especially as a privacy-aware person. I want people in my circle to use private services for example, but to I want this to be a public part of my persona? Am I a privacy advocate, or just someone who is private? Discussions around privacy help half way with this, but I think a focus on the public stuff would help the other stuff.

There’s also a rarely talked about correlation between privacy, security, and publicity: the higher your security, the more effective your privacy. This also means that the less secure something is, the more effectively public it is by definition. Now your security could just be that it’s a really well kept secret and nothing else, but the important thing to keep in mind is that what makes something private is specifically how secure it is. A park is less private than a house because there is no lock to a park, but an unlocked house is effectively just as public as a park even though we don’t think of things that way. A park only one person knows about is effectively more private than a house everyone knows about even if technically anyone could access it. Effectively, only one person can. Technically the house is more private, but effectively anyone who knows how to break into a house can access the well known house.

There’s probably more, but I figure this is a good jumping off point. Are there any things that surprised you about these topics when starting out that you don’t really see talked about?

This is the question, isn’t it? One observation is that there are—perhaps inherently, perhaps out of lack of interest—very few people who are actually interested in advocating for privacy and direct-consumer education in the same way that people like Techlore, The New Oil, Privacy Guides, and a few other groups or people do.

I think the reason that publicity is rarely talked about is just because that isn’t a goal for most people. Most people do not want to become Techlore, they don’t want to become Edward Snowden. I’ve never really heard any demand for more information about operating publicly, and the people in the privacy space who do operate publicly generally already know what they’re doing.

There is an argument that people who operate publicly from outside the privacy community should probably care more about this kind of thing, people like celebrities, business owners, other non-tech content creators, etc. This is something we’re thinking about with our coaching service for example, but I get the feeling that most of these people only care about privacy in a reactionary sense, only after they are personally impacted by something.

Really nice write-up - thanks for sharing this! It’s especially useful for someone like myself in an educational role that has to constantly think about the issues beginners are dealing with.

To add to your list, one thing that’s surprising to me in the privacy world is the lack of perspective on different situations. Tying into your point about lack of information on publicity, I think many people in the privacy community are generally in a privileged place where they don’t have to fear for their lives. It seems a wide majority of people value the philosophy of privacy being a human right. I think this is wonderful! With that said, there aren’t a huge number of resources for people in truly desperate situations where their identity being leaked means life in prison. (Or worse!) For those people, they’ll have to sift through a lot of fairly mundane debates for people trying to optimize the 1%.

Not to knock on those 1% debates, I think they’re super important for people who want to reclaim their privacy. But I think it’s important for us to remember that some people’s lives are on the line here.

Yeah that’s a good point. I assume though that most people don’t want to be like Snowden or like Techlore. My intuition is more that there’s a disconnect between people’s perceived privacy and their actual privacy. Maybe that’s what I meant by “effective” privacy before.

Like when you go to a store to buy groceries, the feeling you have is that the only people who know you bought groceries are you and the people who saw you buy groceries, and since those people probably don’t know or care about you, effectively only you know. In reality, there are cameras and your bank/credit card company knows, your cell phone company probably knows, the government can find out, and that feels invasive. My feeling is that it’s just that kind of disconnect that gives people the ick.

Going out is technically a public thing, but there’s a way where it’s more public than you feel like it is, and I think that’s where talk about “how to be public” feels underserved. Like personally I don’t want to buy groceries with sunglasses, a mask, and a hoodie, but those would likely be necessary to have the same privacy irl that I have in mind in my head. The online equivalent of this is probably social media. I think a lot of younger people are fine with having some kind of public persona, but it’s not really discussed how to be public “privately,” if that makes sense. How to technically have a public presence while making moves to have your technical privacy match your perceived. I may be fine posting that I want to some concert, but it’s creepy that someone can download a picture and find out the GPS location, phone model, time taken, etc. What if I posed something more vague like being in the woods? I don’t mind people knowing I was in the woods, but I don’t expect them to know at what tree.

It feels like that stuff is actually talked about more on social media than in privacy communities, ironically. I have a pretty clear set of rules for what I share and don’t share on line that long predates caring about privacy. But even background stuff may help, like technically revealing your identity on different platforms, but not having easy ways to tie them together like same email addresses/phone numbers/contacts/etc associated with the accounts. Most people have the impression that if someone wanted to look up where they’ve publicly been (schools, events, etc) that maybe a private investigator could. That doesn’t stop them from having a public facing life. The problem now is that a lot of this stuff just happens automatically in a way not true before. I think that’s what spooks many people.

If your threat model is just a normal, not particularly private, person, how do you treat your public life so that your perceived sense of privacy more closely matches your actual privacy. That’s something I’d like to see talked about more. Services like Signal are great for this. Obviously Signal is just private, but a lot of the appeal of Signal, I assume, is that Signal just works the way you assumed texting worked before you knew better. Same with something like Monero. I feel like the appeal is just that it works the way you assume money worked before you knew better. It feels weird even saying “I want a private currency.” It’s more that I want spending money to work how it works in the heads of everyone who spends money. It’s weird that my bank knows the exact time that I’ve purchase every game console I’ve every owned and where I bought it. I don’t even know that. They probably don’t even care. It’s all weird. But I still want to be able to walk outside, go to Gamestop, and buy a new system if I wanted to.

If in 5 years there’s the perfect Monero card solution and I can just buy anything and it’s convenient just like a debit card, how do I act in the world publicly then? What if I don’t want to be Techlore or Edward Snowden? What if I just want to be a regular person?

I have considered how to be anonymously polite. My family catches me lying about my DOB, phone number etc in public.
I have chosen to go to a store out of the way for less invasive interactions. I am one of the most private, but talkative people I know!
I dress like the Unabomber as in the hat, sunglass and hoodie when weather appropriate. My personality shines through my drab clothing.
As much as I talk and type here it would not take long for someone to build a profile on myself.

Social interactions are a crazy thing, especially related to recollection. This one cashier ask me frequently what is my date of birth. I mentioned a false date the same date several times. One day I forgot the lie and told her a wrong date. No problem. Since then I intentionally want to get caught by this cashier. The last time I mentioned 05/14, she replied oh you were born on Mothers Day. I politely said sometimes. She looked at me oddly as Mothers Day changes and it was obvious she did not recall this. This might have been a trigger which she will recall that she thinks I was born on Mothers Day.

With these variables of recollection in a social sense what can you do. Will someone recall I was the guy wearing sunglasses inside. Will the nerdy sunglasses look prescription, or will the sporty glasses look like I work construction and just look like part of my work uniform that I wear 12 hours a day. Will no one notice at all. These variables to me kill the idea of a grey / gray man.