Computing with Privacy and Security

This isn’t a topic that comes up often here but it’s been top of mind for me for a few months and I’m curious to hear where other folks are on this. By necessity (of explanation), this is a SUPER LONG POST!

Trust Lost?
In previous years I trusted Apple more than any other tech company. I likely should have questioned this more critically previous to January. I’d already opted out of other companies that had long ago lost any trust. Some never really had it and didn’t last long. In any case, I’ve raised the bar on this and in the current context of 2025 Apple no longer meets the bar. But, in truth, in the context of 2025, almost no US-based tech company will satisfy me.

My Mistake
In previous years I made the mistake of mostly taking the view of “I’m not doing anything wrong, I’ve got nothing to hide”. I’ve been blogging for nearly 30 years and shared a lot. I had, embarrassingly, not taken the time to consider that there is a world of difference between me offering, of my own volition, to share in an active act of publishing a blog. In such sharing I chose what to share. I’d also somewhat fallen into the lazy thinking of it’s too late for privacy, it’s all out there now. Even with these lapses in judgement I’d still made at least one good call: I quit Facebook in 2015. This shifted any previous tendency to use social media for family or friendship communications to email/messages/phone calls.

My Social Media changes
I’ve never relied on social media for work. I kept Twitter and Instagram accounts but didn’t use them much. I deleted my Twitter account in 2022 and Instagram in late 2024. My only reason for lingering on Instagram was a small group conversation with old friends. I finally left them with a fond farewell and the information they needed to get in touch with me if they wanted to stay connected. I’d had a LinkedIn account for many years but never used it. That was also deleted. I’m still on Mastodon and will remain there. It’s an entirely different model and I trust that I’m in control there.

Primary Goals:

• Reduce or eliminate use of cloud services
• Reduce exposure to data collection by apps
• Reduce exposure to data collection via web browsers
• Reduce exposure to location tracking

First, I’ll go over what I cut out. After that, I’ll go over what I’ve switched to.

Apple Services, Apps

• I pulled all my data out of iCloud with the exception of the most recent email received. I’ve got that set to forward to my hosted email.
• Removed all iCloud files and Photos
• Turned off iCloud syncing for all apps
• I’ve always been restrained in my app collection and use. I made a first round of cuts in the early summer then again in mid summer. First to go were the most aggressive data harvesters and violators of privacy. I should have never installed the Walmart and Amazon apps. Lol. They were the first to go.
• Most apps collect too much and at this point I’ve deinstalled most of them opting for websites where needed.
• Last to go: Apple Messages, the Apple Card and Apple Cash. While I trusted that these were secure, my trust in Apple on privacy in the long term is largely degraded.
• Use of new apps/services: I have one app, MySudo which is a subscription that I’ll continue to use as there is no alternative.

Summary: Only one Apple device remains logged into iCloud, primarily for access to control of Home app devices. While I still have the account it is largely now just an archive in maintenance mode.

Google

• I still have a Google account but stay logged out of it.
• Gmail: I’ve had a Gmail account since the first year it was available. I mostly stopped using it 5 years ago. I still have that account but moved all of that email to a local back-up in Thunderbird and Apple Mail on two computers. The account is now emptied of all email and just exists as a back-stop to catch any incoming email from old aquaintances that only have that account. I monitor gmail via Thunderbird on one of my computers.
• Docs: Moved any old stuff I had left in it out. Nothing there now.
• Chrome: I was never a user of Chrome which is widely considered to be the most privacy violating browser.
• Search: I stopped using Google for search years ago. I mostly use DuckDuckGo and Startpage. Lately been trying out SearXNG.
• YouTube: In years past I’d previously published a few videos. Those are removed. I have cut my YouTube use generally. When I do access it I usually do so via DuckDuckGo search in a trusted browser. When I do resort to using the website it is, again, with a trusted browser with no cookie permissions.
• In years past I used Google fonts on my websites. I’ve stopped this practice. I’ll leave it on current sites but will remove with any site redesign and no new site design will make use of the service.

Summary: While I technically still have a Google account it is largely now just an archive in maintenance mode.

Other services:

Amazon: I downloaded my purchase history and have deleted the account. There’s not much else to say. I only used Amazon for the occasional month of video and for purchasing. I’ll still use the site on occasion for searching products and reviews but that’s it.

Microsoft: Had an account that was rarely used other than a few files on OneDrive. Deleted.

DropBox: Moved the gig of files I had stored there to a local back-up and deleted the account.

The phone, data collection, location tracking

Most of the folks in my family seem to use the iPhone as a main computer. it’s with them constantly and always in use. That was never the case for me. I don’t like using the small screen for computing nor do make or recieve many phone calls. For me the iPhone was a camera and a mobile music/podcast player and, paired with an Apple Watch, a health monitor. A fairly limited role.

As I’ve been learning and thinking more in recent months about the constant collection of data from phones, I began to adopt a very different attitude about the phone. I’d previously treated it fairly casually as the convenient device that was sometimes useful. I now view it as an invasive tracking and surveillance device. In hind sight, I’m a bit embarrassed that I had been willingly carrying around with me.

Really, a complete flip in attitude. It was this change in perspective that prompted me to audit the data collected by apps and to begin removing them. I turned off Location Tracking (for everything). I started leaving it in Airplane mode. I changed my phone plan to a cheap voice/text only plan.

Current apps and usage on the phone

• All messaging with friends, family and a few clients is done via Signal. Almost no exceptions. It is cross platform, fully encrypted, open source and audited. It’s free to use (though I donate regularly) and set-up only takes minutes. It’s every bit as private/secure is Apple’s messages but has the added benefit of being cross platform. I use it for all text and most voice and video calls with friends, family and clients. The only exception I’ve made are a few clients that I don’t interact with frequently. Like Messages, I can use Signal on my iPad, laptop and desktop which was important because I’m always in front of one of these devices.
• MySudo is my Signal back-up and my new phone service. For $5/month I have 3 phone lines/numbers (I’m only using one at the moment), 200 minutes of talk time, 300 messages, 3 email accounts with 5GB of storage. More than I need. Sudo to Sudo calls/texts are fully encrypted. Unfortunately there is no Linux app but it works great on the iPad so I can use my iPad to make standard VOIP calls to any local business. And because the calls go out over the internet there is an additional layer of privacy not present with standard cell phone calls. Your phone company collects and sells that metadata.
• Cell based phone calls and standard sms are a last resort and rarely used. Basically, I’m keeping that line/number for 911 calls. I turn it on once every couple of days to check for voice mail or texts from clients. I then reply to them with the MySudo line and let them know I’ll not be using the previous number in the future. I expect that in the near future I won’t need to check that line as often as those clients change my contact info and switch future calls/texts to the MySudo VoIP number or, even better, Signal.

Privacy measures on non-phone devices

• I switched email to RunBox based in Norway for $3/month. I also considered Tuta and Proton both of which offer fully encrypted email. I do have a free Tuta account for encrpyted email should I need it but that only works when emailing other Tuta accounts just as encrypted Proton email is encrypted when sending to other Proton users.
• Web browsing is via LibreWolf, a hardened security focused Firefox fork that runs on Linux and is also available on macOS and Windows for anyone interested. Secondary to that I use Brave on the iPad as LibreWolf is not available there. Safari is decent on privacy, better than most. But both Brave and LibreWolf offer improvements over Safari.
• I now use Proton’s VPN service
• I’ve treated the iPad the same as the iPhone in terms of privacy settings, location tracking, etc. It’s locked down. That said, I actually do use it as a computer so I’ve still got a few essential apps that get used often.

I’m under no illusion that I have achieved complete anonymity online nor do I need that. But there’s a lot of space between that and fully cooperating with the full-time corporate/government surveillance and invasive data collection that I was allowing previously. I see no reason to disrespect myself in that way nor a reason to give them an inch.

I have a genuine question. I’m not debating it at all. What has Apple done to erode your trust? When I see how they have truncated their AI efforts, in part due to their privacy commitments, I tend to trust Apple, at least, far more than any other company. Unless I missed it in your long post , you never said why you lost trust. I can surmise based on the date of January, that it had to do with Cook and the inauguration.

Oh, well, I think they are far better than Google or Microsoft. Or have been in the past. And I expect that to be the case for some time into the future.

My change in approach is really meant to be across the board. While I started off with Apple because much of my previous computing was reliant on Apple services, I didn’t stop there.

I might have trusted Apple in the past I’m just acknowledging broader shifts in the US and the world. Tim Cook himself has said many times: Apple obey the laws in the countries in which it operates. Most notably this was said in relation to changes with Apple’s running of iCloud in China. But I think it’s something he’s repeated a few times and I understand it.

And while that’s true, Apple also defends its users and doesn’t always just go along. They have a record of putting up a significant fight in defense of privacy. Props to them for that.

All that said, yes, I avoided diving into US politics in the post. And I won’t do that now. It is certainly my belief and my observation that much has changed here in recent months and I expect much more to change going forward. So, yes, I’m acting accordingly. I believe that ultimately Apple will obey the laws of the US and I am preparing for that in advance.

All that said, whatever happens in the future I think these were good decisions for my privacy regardless of who may be in power in any given year.

Got it, thanks.

20 characters

The difficulty is our dependence on tech. Whilst it’s possible to extract oneself that becomes harder with each passing year when having a smartphone or account with the local council becomes your only option. I’ve had a battle on my hands with my local school that insisted all parents use a particular app for communication.

In terms of vpn and dns security, some apps just won’t work with that turned on. Our local supermarket has ever fewer cash tills. If you want discount prices at Tesco’s you have to be a club member or it becomes considerably more expensive.

I’m wondering about what I call a dummy phone that has all these apps on, but is used for nothing else. But again, an extra cost.

I’ve never trusted Apple, especially when I saw how easily they capitulated to China’s demands. Profit came ahead of people.

In reality the only real answer would be legislating people’s privacy and freedom. But hey, I’m in the UK which is removing freedoms extremely rapidly. And we don’t appear to be the only ones.

I think your approach is excellent in that you are minimising the attack surface you present. And perhaps minimising is the only thing we can really do, but it does come at a cost.

Yeah, it’s going to be difficult going forward. I see story after story about governments, agencies, services and shops that increasingly require an app or make using a card or cash difficult.

And I think you’re right, really, minimizing is about all we can do if we intend to continue functioning within the system.

I’ve viewed the whole effort and process as a challenge and, honestly, I’ve actually kind of enjoyed it. Digging in and learning about their techniques was alarming at first but also motivating. And since then, strategizing ways to deal with them, to defend and work around their efforts has been gratifying. Kinda like a board game or puzzle. At least, that’s the way I’ve framed it in my mind.

It might be helpful to create some sort of resource that would help people to minimise who don’t have the tech know how (like me!).

I think going forward we need some resource that gives people some viable options and a starting point. Even in terms of awareness.

Maybe this can help?

Ha! You beat me to it! I just recently discovered that site and have been pouring over it. Excellent articles and active forums. Last month I did an “Introduction to Privacy and Security” presentation at my local library which is downloadable as a pdf.

I’d also suggest The New Oil which offers a comprehensive guide.

I’ve had my concerns with various online companies over the years. I’ve previously left both Facebook and Linkedin, but the realisation became that it’s not possible for me to BE in the world without these two accounts leading me to rejoin.

Facebook is critical for connections with family and some friends I rarely see physically, but still value (I missed a family party which was only shared on Facebook after I left), for Linkedin sadly, if you’re not on Linkedin you’re effectively person non grata when applying for jobs at certain companies.

Meta is a company I loath, but between Facebook and WhatsApp, it’s effectively a public service.

I left Twitter the day they killed the API for third party clients. That killed the Twitter I knew and let Mme to Mastodon where I happily post and read.

Of the top 5 (Apple, Meta, Microsoft, Google, and Amazon) Apple is the best of a bad bunch. it’s a company I still trust, but since the Mad King was elected that trust has been stretched further than I expected.

With where I am in this world at this time I’ll continue as is.

I feel that way sometimes, but FB is such a sleazy company. I’m tempted at times, but thus far, I’ve resisted.

image1280×720 252 KB

I get that. Reliable software that neatly complement each other have a satisfying click.

That’s understandable. Most of our data is already out there.

There are always a minimum of two copies of every email we have ever sent or received. No matter what we do the recipient of every email we have ever sent has a copy, and so does the sender of every email we have ever received. We cannot protect what we don’t possess.

I’ve been buying things online for decades. And it is likely most/all of those vendors have sold what they know about me to ever data broker that will offer them a few cents for my info. Amazon and Walmart alone know just about everything about me from the books I read, to the food I eat, to my name, and physical / digital addresses.

It’s impossible for me to purchase anything, visit my doctor, get my oil changed, or renew my drivers license or license plates, etc. without leaving a digital breadcrumb for someone to add to my digital history.

In 1999 the CEO of Sun Microsystems was quoted as saying “Privacy is dead, get over it”. If that wasn’t true then, it definitely is now.

I feel my iPhone and iPad are more secure than my Mac. And that my data in Google Drive and iCloud is safer, not more secure, than on my devices. Any sensitive info that I put online is encrypted.

But all those encrypted bank, tax, and health, etc. records are just copies of information that resides on other corporate or government computers, and have been leaked or stolen on multiple occasions. If they can’t keep information secure . . .

Yes, but is your content on GDrive safe from Google? For example:

"Once uploaded to Google Drive, your files fall under the purview of Google’s Terms of Service. Anything that goes against those Terms can be flagged for removal and can even lead to a ban from Google’s cloud programs altogether. Looks like it’s time to find a new home for any shady files you need stored.

Then there’s the Abuse Program Policies and Enforcement list, which more explicitly covers Drive, Docs, Sheets, Slides, Forms, and Sites. There is an individual policy listed for each of the following types of content:

• Account hijacking
• Account inactivity
• Child sexual abuse and exploitation
• Circumvention
• Dangerous and illegal activities
• Harassment, bullying, and threats
• Hate speech
• Impersonation and misrepresentation
• Malware and similar malicious content
• Misleading content
• Non-consensual explicit imagery
• Personal and confidential information
• Phishing
• Regulated goods and services
• Sexually explicit material
• Spam
• System interference and abuse
• Unauthorized images of minors
• Violence and gore
• Violent organizations and movements

What’s covered here? — On a base level, anything that violates Google’s general Terms of Service can be automatically removed from the company’s websites and programs. Google also reserves the right to remove content that violates applicable law or could harm users, third-parties, or Google. Child sexual abuse material falls into this category, for example." Source

Your data might be safe. But what about someone who is politically active? As is pertinent to the current moment, there are currently many anti-fascist activists organizing protests in the US. In September the current US admin declared antifa to be a domestic terrorist organization. If I’m a political activist/organizer using Google Drive can I trust that my documents are safe? My account? Some of the bolded items in the above list could easily be defined in a number of ways to mean different things.

Given the above I would assume the answer is NO. I don’t know about Microsoft, Apple or services like DropBox. Do they have similar policies? Cloud computing certainly offers convenience and promises of security and safe keeping but does it really?

I know that with some caution and care my local files are safe, secure and private. They are on a my local drive next to me with no company holding a key to my access.

Try also Electronic Frontier Foundation. https://www.eff.org/. They have a good range of reading.

This is an extremely valid point. Ambiguity of terms such as ‘hate speech’ and even interpretation of existing legislation may make you fall foul of those who hold your data.

I work in a church and we have a traditional view of marriage between a biological male and female, but freedom of speech and opinion can clash with equal rights. In the uk police are actively cautioning street preachers for causing offence. The difficulty is that freedom of speech will invariably offend someone who disagrees. The point I’m making is that if google takes a different perspective or comes from a different opinion they could remove an organisation’s workspace accounts. Which is not trivial.

[quote=“svsmailus, post:16, topic:43176”]
offend someone who disagrees.

I often struggle to understand why people are ‘offended’ simply because someone expresses a different opinion. I can understand taking offense if the person is being disagreeable in how they disagree, but mere disagreement is no cause for offense. When I see people reacting in anger to a contrary view, I’m inclined to think their anger stems from an inability to articulate or defend their position rationally. After all, name-calling and outrage are easier than careful reasoning.

I use iCloud Drive in a limited fashion: because smartphones are a peripheral and are designed to need the cloud. I use iCloud Drive as a connection method to get my files from my phone to my Mac. Then I remove them from my iCloud Drive. I have no photos stored in Photos for over a day or two.
CloudKit is a different story; because files stored there are encrypted so neither Apple themselves nor the developer can have access to them, I’m considering those files safe.
Regarding cloud services and their Terms of Service: there is an article I’m going to find and link where a father had trusted his entire digital life to Google, including his phone number in Google Voice. During the pandemic, his physician told him to take a photograph of his toddler’s private parts because there was a problem there. Google’s automatic CSAM detection flagged that photo and deleted his entire account and the backups associated with that account. There was no hope of recovering. Google later said that action was a mistake, but there was nothing they could do about it. Period.
That article started my journey away from cloud services. Even MEGA, which is a zero knowledge cloud service (only you have your recovery key, MEGA doesn’t) has restrictive Terms of Service because you can share your files. Sharing files means they have to be decrypted, so MEGA can then see them.
I had already done some research about cloud terms of service, and I learned that if I didn’t create the content in the file, I can’t store it on a cloud service. For instance, I grab webpages off the internet to preserve them against link rot. I don’t share them with anyone. But, since I did not write the article, I cannot store it in the cloud. Storing ripped CD’s is the same thing, unless you recorded the music on those CD’s.

The short answer is yes. My content is safe because I keep up to date copies of everything I store online.

If I were to get locked out of my account I would contact Google support and try to resolve the problem. If that failed I would open another account somewhere else, transfer my email address/domains, files, and email archive to that new account, and get back to work.

I would advise them to avoid using any device attached to the internet. Or become a world class security expert

Google, like Microsoft, provides services to businesses, organizations, and governments. It has to be compliant with the laws, etc in each country as well as the requirements of their customers. I’m comfortable using the same service as some of the largest companies in the world.

Apple’s primary business is selling iPhones and services to consumers. Their iCloud policy is one page and, AFAIK, the only reference to business deals with “protected health information”.

If you don’t want to put your data online that is your choice. Personally, I suspect it will become harder to avoid as our devices and operating systems evolve. But I’m retired and my life is much easier not needing to keep decades of information with me.

If I travel outside of the US I can use 1Password’s travel mode to remove any data I don’t want to disclose to border guards, should they “insist”. I can remove all traces of my primary email address and just use my free Gmail account. And if my Mac is stolen or my home is destroyed while I’m gone all my files remain on Google, Apple, and Backblaze.

I suppose it’s a good thing that you can now buy small compact ssd storage. It might be worth moving as much cloud data to ssd’s. Obviously not as convenient.