Privacy vs Linux ??

[DAMIEN1307]

I've been reading this post/thread with great interest and the replies to it have been on the whole quite good if not great.

I think that most of us do realise that there is no such a thing as complete anonymity when on the web but we all endeavour to do are utmost to minimise ads, tracking, canvas fingerprinting, etc as much as possible.

It appears that Mike-Linux-Mint has started a really great thread here and listening to his response, he appears to have a really good handle on the situation.

I also agree with others that EFFs panopticlick really seems to be a real joke as well...i agree with trytip when it was said,

in order to test your privacy you must first disable your privacy. the EFF are leaches just like the rest of the internet that wants a piece of you.

...disabling privacy just to check your privacy?, thats just plain stupid and as we all know, "you can't fix stupid"

and then there is gm10s comment, which i also agree with,

Tried that site and seems a bit of a joke, no? How on earth does it give you green for ignoring the "acceptable ads" whitelist but red for ignoring their stupid DNT policy? This is clearly a political site, nothing more. Also the fingerprinting part never finished:

, (my fingerprinting scan never finishes either but maybe its because the Brave browser I use has a setting to stop that), I think most people do not realise that DNT in some way or another has to use a "cookie" of some sort to begin with...another way just in order to track you so you do not get tracked? they have got to be kidding, it's stupid, and and there is no authority whatsoever that even forces compliance for DNT...its about as useless as the DO NOT CALL LIST law here in the USA, 80% of my calls are either robocalls, political solicitations, or just plain scams, but there all one in the same to me...just scams.

I also agree with zenopeek here as well when he tells you that google/google mail/gmail, is as bad as facebook when it comes to privacy and perhaps might even be worse...that is why i use protonmail.com, along with my Brave Browser with the Startpage search engine along with appropriate extensions for privacy...DAMIEN

[gm10]

I think most people do not realise that DNT in some way or another has to use a "cookie" of some sort to begin with...another way just in order to track you so you do not get tracked? they have got to be kidding, it's stupid, and and there is no authority whatsoever that even forces compliance for DNT...its about as useless as the DO NOT CALL LIST law here in the USA, 80% of my calls are either robocalls, political solicitations, or just plain scams, but there all one in the same to me...just scams...DAMIEN

DNT is not a cookie, it's part of the HTTP request headers. I fully agree with the rest of your post though, of course, which is why I found that test's idea to give a red mark for NOT unblocking trackers on the mere promise of not getting tracked ludicrous.

[DAMIEN1307]

hi gm10...thats why i said,

has to use a "cookie" of some sort to begin with

, now i know what is doing the tracking, (HTTP request headers), i knew it had to use some sort of invasive tracking method to accomplish its "so-called" purpose, just did not quite know what that was...lol...DAMIEN

[philotux]

Hi Damien,

In another thread you wrote:

...secondly, install extensions such as ublock origin as well as privacy badger to ward off intrusive advertising and trackers used to track everything you do on the internet/web
...thirdly...
...DAMIEN

Since privacy badger is from eff, do you think it is good extension to have, or shall I uninstall it on the account of what you and others think of eff.

[gm10]

I showed in another thread a little while ago that DDG uses tracking images. If you're not the customer you are the product, simple rule of thumb that's usually correct. They have to make a living somehow. Likely true for startpage.com as well for the same reason but I haven't looked at them.

For anyone else wondering: the one pixel image DDG uses is for improving DDG. See https://improving.duckduckgo.com/ and the detailed explanation at https://duck.co/help/privacy/atb linked from there.

How DDG makes money is simple: when you search for something, they show you ads in the results based on those search keywords. Not based on stalking like Google, Facebook and Microsoft among others do.

I don't think I saw your other post gm10 so perhaps I repeated what you already said. I'm pretty happy with how DDG spells out how their business makes money and how they go about improving their product.

Microsoft is also collecting telemetry with the purpose of improving the product, yet people go crazy about the idea, so I don't think most of those who worry about tracking ultimately care about the distinction.

Personally I'm using Google search. I don't mind Google making some money off me because they're delivering me a service in exchange, and I'm ok with that. I don't even mind them tailoring search results to me because it's actually working really well and saves me time.

Do you know if sites like startpage.com and duckduckgo are paying money to the search engine providers whose results they are displaying, like Google? If not they're probably going to get hit with a lawsuit one of these days, and rightfully so. Making money of another company's services while denying them the income by stripping their ads and showing your own? Yeah right.

[vaportrail]

I like the Pale Moon browser with NoScript. Pale Moon is an Open Source, Goanna-based web browser. Have no idea how it handles privacy: http://www.palemoon.org/

Also looking into Librem 5 when it's time to upgrade my Nexus 4: https://puri.sm/

[Moem]

After reading this article https://www.ghacks.net/2018/05/07/priva ... -steroids/
... I replaced Privacy Badger by Privacy Possum.

[DAMIEN1307]

hi philotux, privacy badger is very good...where EFF is stupid is with "panopticlick" and their insistence that the useless DNT is a good thing...DAMIEN

ps...i use privacy badger along with ublock origin etc. but im going to look into MOEMs suggestion of privacy possum since until right now was not aware of its existance.

[redlined]

It is hard to say though who to trust . . . Can you really trust DuckDuckGo not to track you? They seem to have a good reputation by all accounts by I guess you never really know. I use Startpage.com for my search engine - I looked around and so far I have not read anything about them that worries me.

I showed in another thread a little while ago that DDG uses tracking images. If you're not the customer you are the product, simple rule of thumb that's usually correct. They have to make a living somehow. Likely true for startpage.com as well for the same reason but I haven't looked at them.

hi gm10!

Funny thing about online trust in this digital/information surveilence capitalism is all based on faith... and the big pie in the sky data collectors and sellers are raking in the dough, lsoing more of our faith-based trust everywhere we turn and leaving little to no other options.. Privacy policies are generally horrible to disect and when I find one that is simple, forthright and transparent then I take note and startpage search is one of those services I trust. but how do they make money?!
Our Privacy Policy

How we keep Startpage.com free without using "personal data"
Without tracking ads - as we don’t share personal info with anyone.
Most online advertising today is personalized, meaning that online advertising services track what you do online and profile you in order to serve tailored ads., We don’t do that at Startpage.com. No tracking. No profiling!

Our search result pages may include a small number of clearly labeled "sponsored links", which generate revenue and cover our operational costs. Those links are retrieved from platforms such as Google Adwords. In order to enable the prevention of click fraud, some non-identifying system information is shared, but because we never share personal information or information that could uniquely identify you, the ads we display are not connected to any individual user.

It’s a myth that search engines need to profile you in order to earn decent money. Startpage.com serves strictly non-personalized ads. Sure, our ads make only a fraction of what other search engine ads make, but they pay all our bills.

That and whose jurisdiction they fall under gives me a feel good (reference my searches) especially since EU data protection laws went to effect.

You can disable telemetry in firefox with ease, and a few other tips

http://forums.linuxmint.com/viewtopic.php?f=42&t=210616

cool thread, thanks for that work and for linking to it here!

Since I'm using Nordvpn on Linux, is there any data a VPN cannot protect?
Similarly, I've been speeding up my internet connection by changing the DNS servers in my settings so I've been using the Google servers for IPV4 and IPV6. The connection has been increased but I was wondering whether these other servers could be used to infiltrate my system or spy on my online activities?

hi Mike-Linux-Mint, great thread! I did want to mention VPN only encrypts your data in transport only to the VPN exit server, after that it is no longer their concern. Any unencrypted web traffic you have beyond them is susceptible to intercept, including by them if you are not using HTTPS (also SFTP or FTPS for secure ftp protocols). VPN may also leak DNS querries, if so then your ISP is able to see every website you go to (with the name resolve of DNS) in plain text although they will not know what you do on the website once that address is mapped. Also consider the VPN service provider can also see (including log, profile, sell, etc) every website you visit, by name, if they are also providing DNS service or you resolve using other unencrypted DNS...
Online privacy is a mess, if not a myth completely!

Other things I do besides good internet hygeine and due dilligence when possible is to not place all my eggs in one basket. Start by encrypting your DNS! which is difficult as only two public DNS providers offer DNS over HTTPS (DoH) which is really the only way to keep DNS querries out of hands and eyes that don't belong. see dnscrypt-proxy for more info on what all that is and how to set it up on your system. There is an old(er) version in the main repos but I suggest very strongly you use the latest version from git as it is a huge improvement over version available through apt/synaptic. The two options you have for actual encrypted DNS/full DoH support are google (8.8.8.8,8.8.4.4) and cloudflare (1.1.1.1,1.0.0.1) and although I use gmail (deprecated;) and even google voice I do so knowing they use, abuse and sell my data to the lowest bidder- they don't need my trust it only interferes with their laughter enroute to the bank.. and since cloudflare has a privacy policy for it's public DNS offering that I like I prefer them- even more so since DNS querries are on average at least twice as fast as any other I test (to be fair though I live in Denver, we have a cloudflare DNS data center in Denver and my VPN providers (2 of 3 of them) have exits in Denver- friggin netflix still blocks me, but I'll save that for another rant!:D)

After dnscrypt-proxy (for DoH) and a trusted VPN provider for all traffic I tend to favor certain browsers and extentions and yes, how to trust comes into play, as does concerns about the overhead- what is it doing and can it be done better questions come to mind. Locking down firefox is similar to locking down chromium even though open-source is not really a vouch-safe for anything (how often is that much code audited and what changes have occured since that specific code was looked at?

EFF seems to have taken a hit this thread, I trust them and find two of their extensions very useful HTTPS Everywhere and Privacy Badger. I'm also a fan of NoScript. I use uBlock Origin for ad-blocking of select lists the rest of the ad and bad site blocking I do using a blacklist in dnscrypt-proxy and find it perfect as an alternative to etc/hosts file which is still a way better option than a browser based ad-blocker simply due to less overhead the browser is taxed with. Blocking at the DNS resolve level on computer ensures nothing sneaks through the cracks (e.g. other than browser apps, etc). So to do this I disable IPv6 system wide and set 127.0.0.1 as DNS in wifi(also disabled), ethernet connections and VPN settings- so my system is actually DNS stupid if dnscrypt-proxy isn't functioning properly. If you want help setting dnscrypt-proxy and blacklist then give a shout!

[redlined]

After reading this article https://www.ghacks.net/2018/05/07/priva ... -steroids/
... I replaced Privacy Badger by Privacy Possum.

now this looks cool! checking into it now, thanks for mention this one Moem!

[thx-1138]

...interesting...personally i wouldn't use Chrome even if you paid me.
Same way i wouldn't use Windows - only if i absolutely couldn't avoid such for a very specific task...
Not that I consider FF to be that great - but it's certainly the lesser of two evils.

Fairly certain Tor has it's reasons for using FF & NoScript instead of Chrome...
is Tor junk as well & it's devs potentially misguided idiots?
Oh, btw...what's a good Chrome alternative for NoScript?
Further speaking of it - uBlock on Android's Chrome as well?

...also, wondering...what does the hosts file got to do with...fingerprinting?

...does Chrome allow someone to tweak it as much as that if you want to?
Or does someone has to resort instead to such?

No 'privacy & security theatre', sure - and of course someone should not trust any 'free' service...
or even worse, think that the next 'free' service down the list of 'saviors' will get him to the promised land.
That land was probably lost back in...1994, if not earlier.

But let's not turn to extreme nihilism as well...
Someone doesn't go around in the streets shouting his name, address & bank account assets for obvious reasons...
No reason he/she couldn't or even more shouldn't do the same online with some simple common sense

Personally, i simply use FF with quite a few about:config tweaks, uBlock & NoScript - nothing else.
Because that's what i currently 'need' - ie. i'm willing to let some data to get leaked in the name of a certain 'convenience'.
But in any case, i wouldn't turn my browser and/or system into an Xmas tree with countless numerous extensions,
i don't see that as actually providing me any serious extra level of privacy:
more likely it would help making my browser more easily identified among the bunch. Less is often more...

[philotux]

hi philotux, privacy badger is very good...where EFF is stupid is with "panopticlick" and their insistence that the useless DNT is a good thing...DAMIEN

ps...i use privacy badger along with ublock origin etc. but im going to look into MOEMs suggestion of privacy possum since until right now was not aware of its existance.

Thanks for the clarification, Damien! Myself,I have been using Privacy Badger along with HTTPS Everewhere and uBlock Origin for a while.
Me too, I will be heading to Webstore to try out Privacy Possum as well.

Thanks again!
philotux

[gm10]

Fairly certain Tor has it's reasons for using FF & NoScript instead of Chrome...
is Tor junk as well & it's devs potentially misguided idiots?

My panopticlick screenshot above was with Chromium btw. Here's how vanilla Tor looks like:

pano-tor.png

Make of that what you wish.

Oh, btw...what's a good Chrome alternative for NoScript?
Further speaking of it - uBlock on Android's Chrome as well?

Since you mention uBlock, that one can block scripting, so just use that (I don't understand why you would use both extensions on FF). I'm sure there's a ton of other options though, I never looked. I don't use Chrome on Android so I cannot answer that one.

...also, wondering...what does the hosts file got to do with...fingerprinting?

I think you misunderstood, I didn't see anyone mention it for that purpose, mentions were about blocking user profile & telemetry collection.

[DAMIEN1307]

hi again philotux and your welcome of course...the one main difference i automatically see right off the bat between badger and possum is their are no manual controls for possum which is totally automatic in nature...when i did a "browserleaks.com" and went to geolocation API section, i notice one difference...the global permissions denied is blank with possum, but filled in as you see below with badger...probably because i do not use badgers automatic stuff they put in as allowed but remove their automatic stuff and configure things manually, site by site, in my own way of what i allow and do not allow, but for those that can not or will not take the time to fine tune badger in the way i do, (im kind of "fanatical"...lol), i think possum, from what i see thus far is a great alternative...DAMIEN

Origin Permissions
× Denied — You don't allow browserleaks.com to track your location.
Global Permissions
× Denied — You don't allow random websites to track your location.

[philotux]

Thanks again Damien! Great info! Have installed Privacy Possum. As you said, it is completely automatic. I feel somewhat more in control with Privacy badger giving me the option to choose what to block or not.
Cheers,
philotux

[xenopeek]

Microsoft is also collecting telemetry with the purpose of improving the product, yet people go crazy about the idea, so I don't think most of those who worry about tracking ultimately care about the distinction.

Meh. I don't see how the telemetry data Microsoft collects is comparable to the A/B testing DDG does, but sure. There's a tin foil hat for everybody

Do you know if sites like startpage.com and duckduckgo are paying money to the search engine providers whose results they are displaying, like Google? If not they're probably going to get hit with a lawsuit one of these days, and rightfully so. Making money of another company's services while denying them the income by stripping their ads and showing your own? Yeah right.

Startpage has a contract with Google https://support.startpage.com/index.php ... ch-results. DuckDuckGo doesn't use Google but similar to how Startpage does it they are a syndicated search partner of Bing.

[gm10]

Microsoft is also collecting telemetry with the purpose of improving the product, yet people go crazy about the idea, so I don't think most of those who worry about tracking ultimately care about the distinction.

Meh. I don't see how the telemetry data Microsoft collects is comparable to the A/B testing DDG does, but sure. There's a tin foil hat for everybody

The scope is different not doubt. I rather meant the part how users scoff at telemetry collection no matter what it's being used for.

[DAMIEN1307]

hi gm10 and zenopeek...my thinking on this is not so much that telemetry in its self is all bad when pursuing worthy goals such as providing insight into how things are working on individual basis, and how to improve the software involved, but what i think people are upset with is how footloose and fancy free that folks like microsoft and others have used this to make peoples computers excessively "chatty" using more of their system resources without any real transparency in what they are doing with the info as well as using peoples bandwidth in order to accomplish their goals, (when i ran win 10, even with everything set to basic with no other access allowed, their telemetry still was thrashing my HD and ram into overdrive. this especially effects so many people having to deal with bandwidth "caps" on their IPS connections as well as older systems using older and slower hardware that can ill afford the "hit" to their system resources...i dont suffer from "CAPS" or old and slow hardware, but many others do...i think thats why people start lighting the torches and sharpen the pitch forks...its not always the "tin foil hat brigade"...DAMIEN

just like any other "power" entity in the world..."absolute power corrupts absolutely" and when there is no "checks and balances", and corporations have always failed to recognise that there is a limit to what people will put up with, well all i can say, here we all are now.

[redlined]

hi gm10 and zenopeek...my thinking on this is not so much that telemetry in its self is all bad when pursuing worthy goals such as providing insight into how things are working on individual basis, and how to improve the software involved, but what i think people are upset with is how footloose and fancy free that folks like microsoft and others have used this to make peoples computers excessively "chatty" using more of their system resources without any real transparency in what they are doing with the info as well as using peoples bandwidth in order to accomplish their goals, (when i ran win 10, even with everything set to basic with no other access allowed, their telemetry still was thrashing my HD and ram into overdrive. this especially effects so many people having to deal with bandwidth "caps" on their IPS connections as well as older systems using older and slower hardware that can ill afford the "hit" to their system resources...i dont suffer from "CAPS" or old and slow hardware, but many others do...i think thats why people start lighting the torches and sharpen the pitch forks...its not always the "tin foil hat brigade"...DAMIEN

I have a tin foil hat!

as for telemetry, when this is true: "telemetry in its self is [not] all bad when pursuing worthy goals" then I will be ok (well, maybe just complain less:D) but that "worthy goal" is generally defined as good for the profit margin so rarely, if ever, happens as defined by the one they profit off of (the user info)... until the big data collectors take a huge hit in the pocketbook. If they want to profit off any information including me, about me, my habits my preferences my uses of their products or services then I want to be fully informed of every single bit of info before they have my consent. and UA/TOS/PP stealth crap does not count which is what most involved in some level of surveillance capitalism are doing (check what had to change in google, M$, facadebook, etc when EU data laws went into effect.
They all are and will be exposed, slowly but surely, and if their not upfront and honest about what they collect, and why, even with bs fake transparency it will cost them and those fines are the only thing we users have going for us to keep any of it in check (sadly I'd have to move to EU to enjoy privacy they now get that I don't by the same service provider, this really sickens me feeling like another sheep in the get fleeced flock- so I take care to safeguard where and when I can and feel good about that which i do consciously consent to give or voluntarily provide. Wait a couple more years when there will be very few left on the planet not giving up some data to the Internet of Things, everything does not need microchips and wifi transmitters but you better believe it is becoming ubiquitous, insidiously so, by the minute

[sanmig]

I guess we left the topic "... vs Linux", however:

I still live on a Mac. When I have to use FF my Little Snitch is busy all the time to ask for additional FF connections, it's amazing.
They all want to know what I'm doing?

@Mike-Linux-Mint:
For your DNS, your provider or VPN (@redlined wrote nearly the same):
You can't hide.
When you connect to any site your browser usually asks in clear: What IP is xxxporn.com?
So your DNS (Google?) knows in request (and reply) what you are going to visit.
Even if you use DNSSEC the next action of the browser is to connect to that IP, now your provider / VPN will know.

Most important, the site you visit knows - and sells behind your back - what, when and how long you visit which part of the site. Anonymously of course, because they don't need to know your name.
But hey, they know it's you!

Only if one has access to several sets of info regarding "you" (like croogle or big cloud providers like amazion) the package increases in value and may give a detailed picture with location and name.
However, at the moment it seems business isn't that interested - or still unable to focus out single users.
Others may be, now or in the future - using Tor you call them in anyway.

4 In order to prevent the collection of additional user data such as browser type or operating system, the support of scripts in the browser can be deactivated. However, this can restrict other functions on the internet under certain circumstances"

Not correct by the way. Your browser still sends this data with scripting disabled, it's part of the User-Agent header getting sent with every request as per the HTTP spec. In Firefox, you can define a custom user agent by creating the string general.useragent.override in about:config, but if you put nothing or some unique value there you'll become even more identifiable since you'll stand out.

Yep. user agent, installed SW (e.g. Wacom tablet) and esp. your own "improvements" make you stand out.
And don't underestimate the power of JavaScript!