ava on Nostr: I used to be an Apple girl. iPhone is generally considered more private out of the ...
I used to be an Apple girl. iPhone is generally considered more private out of the box than Google Android—if you trust Apple. This recent Siri spying debacle is a good case in point of why you may not.
GrapheneOS is more private than either, with not many tradeoffs in usability. I recommend GrapheneOS; it's best in class at what it does, but there are some inconveniences to using it. Not many, but there are some features you may miss, like facial unlock, Apple Pay, or Google Pay, and AI integration (everything is sandboxed), etc. This sandboxing treats Google like any other app and isolates it from being as invasive as it is on stock (even with turning off location data and hardening your privacy using their settings).
However, if you are still uploading all your data to Google or Apple, who scan email and photos and collect a ton of behavioral data, then GrapheneOS can do nothing about that. It protects a lot through its approach of greater privacy and security through isolation, compartmentalization, and on-device security. If you use these big tech services, then you must be diligent about what data you allow them to have access to.
Even if you host your own email, it's likely that the recipient does not, and that becomes a point of failure unless you use PGP (which is really a privacy band-aid since email was never meant to be a secure form of communication), or better yet, an E2EE messenger like SimpleX over Tor/Orbot. However, there are times when email is necessary, so you must be mindful of what data you're sending over unencrypted channels and to whom.
I only use the phone app or SMS messenger on my phone if I absolutely have to. The Snowden leaks proved that the U.S. government has been spying on its own population through backdoors to social media and through unencrypted communication channels like SMS and phone. All encryption is not created equal and some implementations have security holes.
I use Signal/Molly (hardened Signal fork) for normie conversations (kids, mom, etc.).
I use SimpleX for more sensitive matters.
I speak in person in private locations whenever possible for the most sensitive matters.
It all depends on your threat model. Your devices can be found through satellite and signals triangulation unless you keep them in a Faraday bag and never connect them to your home network—even then, if you turn them on when you're outside, you can be tracked and doxxed through behavioral data like work address, friends' addresses, frequented locations, etc.
I recommend a second device paired with good OPSEC for this, and a complete burner purchased by someone not connected with you in cash for a bug-out device. If you make the purchase, wear a privacy mask, pay in cash, buy a prepaid card (use decoy info to activate), or silent link eSIM paid with Monero over Tor using a device that has never connected to your home Internet for maximum anonymity—don't park in the parking lot (they have tag and RFID scanners that ID anyone who parks or drives through there).
You have to decide what's best for your threat model. Do you really need to be a ghost? Does your threat model in this area of your life include government or just big tech? Are you evading an abusive ex? Are you a well-known person avoiding being tracked by media and paparazzi? etc.
Privacy is always a trade-off with convenience. The more privacy you need, the less convenience you will have. In some areas of your life, you may need greater privacy, like private messaging; in others, you may want more convenience. In the end, all you can do is try to slow someone down by compartmentalizing and protecting your data with multiple encrypted layers and red herrings. That said, given the right reasons, enough time and money, and most anyone can be found.
If you want ultimate privacy, never use the Internet; never walk out of the house without a mask (due to Ring cameras and public surveillance); don't open any accounts in your name; don't own anything in your name, etc. Even then, for example, if you are in the vicinity of someone with a live mic or have to make a phone call to a company, chances are, your voice and current locale can be fingerprinted.
That said, it is possible for most people to disappear from most anyone save for gov entities for extended periods of time, but it is extraordinarily inconvenient and not having a front-facing digital identity is oftentimes more suspicious than having one, even if it is just there to reduce suspicion. I recommend Michael Bazzell's IntelTechniques books and training as a very good introduction to privacy and OSINT if you want to learn more.
Regarding OSINT: if you have a bank account or a phone number (VoIP/Jabber numbers are frequently blocked by financial services), a car in your name, a KYC account somewhere, a rental agreement, a mortgage, a driver's license, a passport, a public record, a brick and mortar business you work at or own etc. etc., then you can be found. I have tools and the skills to find most anyone just with open source, freely available to anyone data, and I know where to go if I cannot. For example, did you know there are states in the U.S. where tag registrations are considered public information, and in the states where they're not, it doesn't cost much to have a licensed PI run a tag?
There is even a new form of police scanning device that can read RFID signals from your car tag, your phone, your pet's microchip, even your library books—creating a unique fingerprint to ID you even if it's not your car. This device can scan and record all of this data from a distance while you're driving down the road.
Wifi signals can be used to map out a house, and the location of people inside it. There are so many ways that people can be IDed.
My advice is to know your threat model, and in what areas of your life you require more privacy and are willing to sacrifice convenience, learn and practice good OPSEC, and act accordingly.
#IKITAO #Privacy
GrapheneOS is more private than either, with not many tradeoffs in usability. I recommend GrapheneOS; it's best in class at what it does, but there are some inconveniences to using it. Not many, but there are some features you may miss, like facial unlock, Apple Pay, or Google Pay, and AI integration (everything is sandboxed), etc. This sandboxing treats Google like any other app and isolates it from being as invasive as it is on stock (even with turning off location data and hardening your privacy using their settings).
However, if you are still uploading all your data to Google or Apple, who scan email and photos and collect a ton of behavioral data, then GrapheneOS can do nothing about that. It protects a lot through its approach of greater privacy and security through isolation, compartmentalization, and on-device security. If you use these big tech services, then you must be diligent about what data you allow them to have access to.
Even if you host your own email, it's likely that the recipient does not, and that becomes a point of failure unless you use PGP (which is really a privacy band-aid since email was never meant to be a secure form of communication), or better yet, an E2EE messenger like SimpleX over Tor/Orbot. However, there are times when email is necessary, so you must be mindful of what data you're sending over unencrypted channels and to whom.
I only use the phone app or SMS messenger on my phone if I absolutely have to. The Snowden leaks proved that the U.S. government has been spying on its own population through backdoors to social media and through unencrypted communication channels like SMS and phone. All encryption is not created equal and some implementations have security holes.
I use Signal/Molly (hardened Signal fork) for normie conversations (kids, mom, etc.).
I use SimpleX for more sensitive matters.
I speak in person in private locations whenever possible for the most sensitive matters.
It all depends on your threat model. Your devices can be found through satellite and signals triangulation unless you keep them in a Faraday bag and never connect them to your home network—even then, if you turn them on when you're outside, you can be tracked and doxxed through behavioral data like work address, friends' addresses, frequented locations, etc.
I recommend a second device paired with good OPSEC for this, and a complete burner purchased by someone not connected with you in cash for a bug-out device. If you make the purchase, wear a privacy mask, pay in cash, buy a prepaid card (use decoy info to activate), or silent link eSIM paid with Monero over Tor using a device that has never connected to your home Internet for maximum anonymity—don't park in the parking lot (they have tag and RFID scanners that ID anyone who parks or drives through there).
You have to decide what's best for your threat model. Do you really need to be a ghost? Does your threat model in this area of your life include government or just big tech? Are you evading an abusive ex? Are you a well-known person avoiding being tracked by media and paparazzi? etc.
Privacy is always a trade-off with convenience. The more privacy you need, the less convenience you will have. In some areas of your life, you may need greater privacy, like private messaging; in others, you may want more convenience. In the end, all you can do is try to slow someone down by compartmentalizing and protecting your data with multiple encrypted layers and red herrings. That said, given the right reasons, enough time and money, and most anyone can be found.
If you want ultimate privacy, never use the Internet; never walk out of the house without a mask (due to Ring cameras and public surveillance); don't open any accounts in your name; don't own anything in your name, etc. Even then, for example, if you are in the vicinity of someone with a live mic or have to make a phone call to a company, chances are, your voice and current locale can be fingerprinted.
That said, it is possible for most people to disappear from most anyone save for gov entities for extended periods of time, but it is extraordinarily inconvenient and not having a front-facing digital identity is oftentimes more suspicious than having one, even if it is just there to reduce suspicion. I recommend Michael Bazzell's IntelTechniques books and training as a very good introduction to privacy and OSINT if you want to learn more.
Regarding OSINT: if you have a bank account or a phone number (VoIP/Jabber numbers are frequently blocked by financial services), a car in your name, a KYC account somewhere, a rental agreement, a mortgage, a driver's license, a passport, a public record, a brick and mortar business you work at or own etc. etc., then you can be found. I have tools and the skills to find most anyone just with open source, freely available to anyone data, and I know where to go if I cannot. For example, did you know there are states in the U.S. where tag registrations are considered public information, and in the states where they're not, it doesn't cost much to have a licensed PI run a tag?
There is even a new form of police scanning device that can read RFID signals from your car tag, your phone, your pet's microchip, even your library books—creating a unique fingerprint to ID you even if it's not your car. This device can scan and record all of this data from a distance while you're driving down the road.
Wifi signals can be used to map out a house, and the location of people inside it. There are so many ways that people can be IDed.
My advice is to know your threat model, and in what areas of your life you require more privacy and are willing to sacrifice convenience, learn and practice good OPSEC, and act accordingly.
#IKITAO #Privacy