Dark Tech Backpack: Tools to Reduce Information Leakage

Summary: I share the techniques I use to protect my online privacy. Part 1 of a 3 post series on good practices for tech usage.

The Miranda warning is already outdated. As Mat Travizano predicted more than a decade ago: “Not only your actions, but everything you’ll probably say, you have the intention to do, or might possibly think… will be used against you”.

Dark Tech Threat Model

As the West is importing Maoist China’s Struggle Sessions (now rebranded as cancel culture), you better conform to woke society expectations, or else… you’re out! For a time I believed this was merely a US-only nonsense, but reality hit too close to home when some National Argentine Rugby team members got cancelled for some racist tweets from 10 years ago after the internet mob got angry at their lack of “proper” homage to the recently defunct Maradona. (!)

Artificial intelligence keeps exceeding our wildest expectations year after year. Each data point we produce and publish on the web can and will feed a machine learning algorithm which predicts your next action with ever greater accuracy. To show you better ads. To get you to stay just a little longer using this app. To change your mind about this topic. Predictive power is dominance, and we are feeding the beast, sometimes willingly.

Snowden’s revelations, Wikileaks, and now common sense tell us that governments are ever increasing their surveillance and control capabilities. The US have military bases and conflicts everywhere. China is expanding their Belt and Road Initiative. Russia, Israel, UK, the European Union, India, Australia, Japan, Brazil are not far behind. Just about everyone is passively spying on you, in case you threaten their holy National Security interests. All nation states understand that data means power, and they have the resources to store and analyze huge amounts. The moment you become a dissident, they’ll use all of it against you.

No matter your why, OPSEC is how

Be it for protection against a random loser unburying a mistake from the distant past to cancel you, the AI overlords predicting your every thought, senile nation states playing whac-a-mole, or some future threat we can’t even begin to imagine today, some of us began increasing our awareness as to what information we make available online. Just in case.

OPSEC (short for operational security) is the practice of protecting critical information from unwanted observers. Unless you’re in the military, it’s synonymous with online privacy. Here are some simple and inexpensive ways I have found to improve online informational hygiene. I’m roughly ordering them from basic to hardcore, so you can follow along until you’re satisfied with your protection level. I have no commercial affiliation with any of the following, it’s just stuff I use and love. No referral links either!

TL;DR

Use Brave browser.
Install ExpressVPN and have it always on.
Use Signal for all your messaging.
Learn about privacy and cryptocurrencies. Youtube and Google are your friends.
~~Sign up for Privacy.com and use it for online fiat currency purchases.~~ (Aug 2022 update: no longer works unless you have a US social security number)
Get a cheap domain at namecheap.com to shield your email.
Use avatars and pseudonyms everywhere and try to remove your real face and name from the Internet.
Obfuscate your real activities with fake data.

1. Brave Browser

Blocks ads and unwanted nasty scripts. It’s even faster than Chrome. Comes with integrated cryptocurrency wallet, bittorrent client, and Tor. What else could you possibly ask for?! This year (2021) I’ve migrated from Chrome to Brave for my desktop browsing and haven’t missed it even once since. They even let you import EVERYTHING (bookmarks, url history, saved passwords, etc.) from your old browser automatically. I’ve also been using Brave for mobile for ~2 years or more probably. Better privacy and performance by default, and less of your data sent to Google. Easy win, download now!

2. ExpressVPN

Another of the basics. A VPN gives you basic encryption for all your connections (useful for insecure networks like airports), but it also provides the added benefit of hiding your IP. This prevents all web apps you use from knowing your rough location (which they could otherwise get from the IP). I began using ExpressVPN when I first visited China ~5 years ago, and I just never stopped. I now try to have it always on. It’s blazing fast, cheap, and has great customer support. Try it out!

3. Signal

I doubt this is the first time you’ve heard about Signal, the privacy-focused messaging app. It’s fully encrypted, developed by a foundation with no commercial interests to sell your data, and cross-platform. If you still don’t have an account, create it, and next time you need to talk to someone, try to message them on Signal first.

4. Cryptocurrency

Banks will sell or give away your financial information to advertisers, governments and other nefarious institutions you might not especially fancy. Coins such as zcash, Monero, and Tornado for ETH/ERC20 provide pretty good privacy solutions for making payments and moving funds internationally. An interesting new project I’ve recently tried out is Incognito, which is a way to “wrap” pre-existing coins with a privacy mantle. It’s sort of new and not very well audited, so be cautious and don’t use it for big amounts of money.

5. Privacy.com cards

(Aug 2022 update: no longer works unless you have a US social security number)

In case you need to use fiat currencies (like most of us, for now), consider using Privacy.com - it lets you create as many virtual debit cards as you want for free. The main advantages are: (1) if one service provider get hacked, you don’t need to call the bank for a new card, you just cancel that specific card, and (2) you can put in whichever plausible-looking billing address and purchases will work. Why on earth should Netflix, Spotify, and their moms need to know my home address?? Unfortunately, last time I checked, a US bank account is required to use Privacy.com, so this is not for everyone. I’ve been using it for all my online purchases for more that 2 years now. If you happen to have a US bank account, definitely check it out.

6. DIY Email Masking

We’ll never send you spam, we promise! Yeah, right. That’s if you don’t get hacked. And if your startup never gets acquired by a bigger and less scrupulous company.
Inspired by Privacy.com, I set up a similar system but for email, for when I need to give it out (which is quite often, unfortunately). Now, each time I register to a new app, or I need to give my email IRL, I create a new one, instantly. Here’s how:

Purchase a cheap domain at Namecheap.com. Anything will do (eg: niutqf4r1n.com, jljai01bpo.xyz, 2348248024234.io etc.), but I recommend something like fruitsolutions.tech for comedic purposes. If you’re uninspired, use domainwheel.com. Some domains cost less than $2. Come on, buy one!
Go to your new domain’s settings on namecheap, and scroll down to the “REDIRECT EMAIL” section.
Add a new “catch-all” alias and forward it to your real email address.

Done! Now, every time you need to provide an email, you can just invent a new one, like facebook@fruitsolutions.tech, or landlord@fruitsolutions.tech and all emails sent there will end up in your inbox.

Now, if someone sends you spam, not only can you identify who did it (just remember who you gave that specific address to), but also block it easily (by adding a filter to your inbox). Of course, you won’t be able to send emails from all those addresses, but it’s good to prevent every website and app from knowing your real email. This has the added benefit of preventing one of your accounts getting hacked from affecting your other accounts (the attacker won’t know which email you used).
[optional] Repeat for various domains, to have even further control and compartmentalization.
[hardcore] Create a new secret email account (preferrably self-hosted) as the receiving end of the forwarding, and never give that address to anyone.
[extra credit] Stop using Gmail or Outlook, and prevent Google and Microsoft from harvesting your (meta)data. I hear protonmail is a good alternative, although I haven’t used it much.

Update: I’ve later found Firefox Relay which is an easier way to implement this. I still prefer my homemade solution, but in case you’re lazy, check it out!

7. Avatars and pseudonyms

Save your name and face for meatspace. Stop showing your real face on the web. No, really, just stop. I know the 2000s were all about using your real name on Facebook and taking our social lives online. That’s over. By using your real name and pic, you link your online activity with your physical body. Why would anyone want that? (the only exception I can think of is dating).
I’ve sinned horribly on this front hundreds of times by uploading selfies everywhere, videos of my talks, doing podcast interviews, etc.

Here’s a short guide (although following it is a long, gruelling process) on how to revert it, if that’s also your case:

Search for your full name on google.
For each result that shows your real face, go to the page containing it, and contact the site owner asking nicely to remove your picture. You’ll have to be creative in finding contact information. I’ve used contact forms, googled around to find site owner’s email, twitter, or linkedin accounts, and edited some sites myself. If it gets to it, you may resort to legal action. In my experience, most webadmins are very supportive and understanding.
Repeat until there are no results showing your real face.
Repeat with youtube, facebook, twitter, and any other site you think might have your image.
Google ‘avatar illustration’, pick the one you like the most, and use it everywhere instead of your real face. If you want to get real fancy, commission an artist to do a custom avatar and you’ll feel great.

Congrats! You’re now among the select group of born-again digital virgins!
[hardcore] change your state/legal name so that it doesn’t match your screen name.

I’m still in the process of doing this… some pics are hard to get deleted. In fact, I’ll gift you a professionally illustrated avatar in any style you choose (or a custom domain name to mask your emails as explained above) if you can find an image/video of my face (please don’t upload it yourself ^^) and then make the website owner delete it. Email me at security@maraoz.com to report findings and to redeem after it’s deleted [⌛⌛⌛⌛⌛ - 5 of 5 remaining!].

8. Obfuscation

The ultimate (albeit costly) defense against data collection is generating lots of fake data. Some ideas (which I haven’t implemented yet) on this front, in case you’re interested:

Creating fake profiles and people with your same legal name.
Publishing fake personal information about yourself.
Writing fake articles about yourself.
Acting randomly to confuse algorithms.

Please contact me if you’re actually doing any of this stuff. I’d love to learn more about your experience and to get practical tips.

Summary and final words

Use Brave browser.
Install ExpressVPN and have it always on.
Use Signal for all your messaging.
Learn about privacy and cryptocurrencies. Youtube and Google are your friends.
Sign up for Privacy.com and use it for online fiat currency purchases.
Get a cheap domain at namecheap.com to shield your email.
Use avatars and pseudonyms everywhere and try to remove your real face and name from the Internet.
Obfuscate your real activities with fake data.

That’s it! Hope you can implement at least one idea in the list. I’ll be writing two complementary articles next, called “Light Tech Backpack” (in which I’ll talk about techniques to minimize negative impact of tech to our peace of mind), and “Blue Tech Backpack” (where I’ll outline basic information security practices) respectively. If you’d like to read them, please subscribe below: