Computing with Privacy and Security

My data is on my MacBook Air, my Samsung T7 SSD Time Machine, and a 64 GB flash drive I keep synced with FreeFileSync.

I’ve lost enough data over the decades; I’ve learned how to backup my stuff.

Could you elaborate a bit on this? Are you saying that technically, we are not suppose to, for example, save journal articles to the cloud for storage and retrieval? If that is the case, then storing articles to a database like DEVONthink would seem to be a wise course of action, though if one syncs DT, I suppose it could be argued it is still “in the cloud?” I have thousands of journal, news, webpages, and other articles stored in Finder under my research folder. Are these technically at risk?

Any legal experts want to weigh in?

Oh, I could definitely be wrong about it. I’d love to be found wrong about it. I’d love to hear some real legal advice.

Nothing personal, but I really hope you are wrong!

I’ve sent an email to MacSparky to ask just that.

I’ve never trusted companies, I trust people. We have learned through discovery from various legal matters what Apple is willing to do to protect their market share. And it has been banging the privacy and security drum for so long, it may now be starting to be a problem for them. How can Apple appear to put privacy first and match the AI abilities of all of its competitors?

IMO, it is probably no better or worse than any other major corporation. I prefer their hardware but they will have to catch up, and then keep up, with the rest of the tech world to keep me as a customer.

Speaking of which, just posted this story from 9ro5 Mac.

Counter intuitive - As I’m aging I’ve becoming less concerned about security and privacy. I’m a nobody and have probably wasted too much time and money protecting that which nobody will probably every want.

Looking back, when I switched from PC to Mac, I enjoyed getting back entire weekends that I used to spend editing config.sys and worrying about IRQ order to get a damn printer working, something I no longer had to do with “plug and play” printing on Apple.

I’m now starting to think too much time and effort is wasted worrying about “the new world order” and protecting against the perceived threats to my privacy and re-thinking a lot of things.

I look at my friends and relatives who are not power users, and the built-in protections, even in those “evil” people at Google and Microsoft, letalone Apple, seem to give them enough protection to live their lives in blissfull ignorance.

I feel like a power user that is cursed like early biologists that took their first look through a microscope at the world of germs and bacteria and went “holy crap!” and then spent the rest of their lives in neurotic worry.

You present your case from two aspects, loss of trust in the agencies that receive your information and loss of trust in your own ability to filter what you post to those agencies. The latter does not require whole scale tossing out the agencies. I might make an analogy that we would be upset when Alcoholics Anonymous would advocate that its members march to burn down Jack Daniels distilleries.

The former concern is a matter of knowledge, understanding, and choice. How much do you know about what is being done, how much do you understand why it is being done, and how much do you disregard or disagree with what is being done, whether for moral or financial grounds?

As to my own stand, I dismiss foremost agencies that provide me no necessary or desired benefits, either by my lifestyle or by the benefit to cost ratio in their use. Facebook, Twitter/X, Instagram, and the like are in this category. Then come those agencies that I need. Google (Drive + mail), iCloud, and sometimes DropBox are in this category. Finally come those agencies that I enjoy. Amazon Prime, Apple Messages, and Apple Card are in this category. All above choices are personal, and I might say purposefully well-informed, choices.

I am not so strongly morally inclined to believe in divorcing from outside agencies because they engage in certain shades of unethical behavior vis-a-vis using my information for their own profit. We can argue whether this makes me naive at best or a passive contributor to some form of destruction at worst. Such discussions won’t change my stand to use the agency; at best they may improve my approach to secure how I use the agency.

With regard to this final stage, I am technically well-enough skilled to be able to implement almost any form of protocol needed to secure the information I share against further abuse. Most times, I view the extreme limits either as simply not worth my sweat or as counterproductive against other needs or desires. By example, while I see (e.g. via separate threads on this forum) what extra security can be gained by apps such as Little Snitch or services such as NextDNS, I am perhaps best said to be simply too weary to bother. And, in some cases, implementing changes would require me to explain and sustain the revisions for less-technically inclined members of my family, which in itself is enough of a hurdle to dissuade me going down such a path.

In summary, some of your steps appear to me to be excessive, much as avoiding to walk outside in a on a mildly rainy day for fear of getting hit by lightening (as opposed to standing barefoot on tin-foil in a wide-open field on a strong thunderstorm). I can applaud your diligence to do what you are doing even as I recognize that we certainly do not share the same conceptual or practical religion about certain things on this topic.

You appear to be well-intent and enjoy what you are doing, you certainly are not harming anyone else by what you do, and perhaps you are even in some way preventing some harm from befalling others by what you do. So, go too it!

–
JJW

(Sorry DrJJWMac, this was meant to reply to the whole thread & not your post in particular.)

Privacy is a somewhat nebulous concept that means different things to different people. Creating an effective privacy and security policy, whether for an individual or a group, starts with threat modeling. If we don’t have a good concept of what we’re trying to protect ourselves from we’re not going to do a very good job of protecting ourselves.

I think Denny did a fine job of articulating what threats he is interested in protecting himself against and why and then detailing steps he has taken in pursuit of those goals. Also, personal ethics matter.

I suspect that executives who espouse the "privacy is dead’ position only do so because they profit from it, but will become awfully upset at anyone who attempts to dig into their personal lives.

I’ve long been interested in personal privacy, going all the way back to Robert Ellis Smith’s Privacy Journal, which he started publishing in 1974 and I discovered in the late 1980’s. Although it’s likely impossible to live an anonymous life in most parts of the world at this point, there are still a number of steps that individuals can take to shrink their data footprint and still live a full life in the modern world.

Perhaps this one?

“A Dad Took Photos of His Naked Toddler for the Doctor. Google Flagged Him as a Criminal.”

New York Times, Aug. 21, 2022

The only note on potential threats is “… I made the mistake [believing] `I’m not doing anything wrong, I’ve got nothing to hide’”. I am not sure what to read between the lines as a clear threat.

Yes, otherwise true, the articulation of his extensive steps is well done.

So, back to your starting statement.

Do you really believe that the OP has presented a well-defined model of threats so as to be strongly convincing enough to warrant the responses that he presents? I don’t. But, as I said in support of his sense of a need and/or a desire to do what he is doing … Go for it!

Let’s drink to this as a good agreement overall.

–
JJW

That was it. But I linked to an archive.ph version to get around the firewall.

I’m not sure why, but your post made me laugh, especially the last paragraph.

As @liminal suggested, privacy is nebulous and means different things to different people. My threat model is somewhat general. I’m not currently engaged in high risk journalism or activism. Nor am I doing crimes. Of course, if I were doing any of those I would not admit it here.

My current efforts are what I consider to be both extreme but also prudent in the current political environment. My threat model is somewhat general in that I am responding to what I see as a baseline of invasiveness being carried out against the general population and I do not wish to be subjected to it.

• I’m not okay with my private files being scanned by a cloud provider. Whether I am organizing a birthday party, interviewing a whistleblower or organizing an antifascist political meeting, I simply do not want my documents scanned by Google or any other corporation.
• I believe that privacy crosses lines. The choices I make in regards to my security and privacy can affect others. Specifically, people in my computer address book, which is no small detail. We seem quick to dismiss the importance of that data that may include their home address, place of employment, phone number, birthday and family members. Likewise, others’ bad data practices may well be leaking my personal data that I did not agree to share.
• While it’s true that much of my data may already be out there it is also true that I’m not okay with that. I did not consent. And please don’t suggest that by being alive, by using the internet I consented. If that is your response you are taking the wrong side of this. I did not consent and I do not. And so I am making the effort to protect my data going forward.
• Beyond myself, while I have no children of my own, are we all so self-centered that we are willing to give up on privacy for future generations? I do not wish to concede privacy as a lost cause for others. I want them to have privacy. I want them to have the ability to exist without being tracked every moment of every day.

I suppose you could say my threat model is a dystopian hellscape in which corporations specialize in collecting the complete, day-to-day movements and actions of every person using the internet or a mobile device.

• Where I wake up.
• What website I looked at when I rolled over in bed and opened a browser on my iPad at 6:30 am.
• That I tend to wake up and begin using the internet at 6:30 am
• That spend Tuesdays and Friday nights at a specific address
• I don’t want it known that I purchase this or that product once a month, every month
• I don’t want Walmart to know what my heart rate is when I’m sleeping or my step count or my workout habits
• I don’t want it known that I’m seeing a particular doctor or taking a particular medicine

I could go on. What I’ve learned is that the profile thus far created of me is far deeper in detail and creepier than I’d ever considered. If a stranger came to me and said, “Hey, I know this is a weird request, but I’d like to follow you around for the next year. You’ll probably see me outside your windows with a camera. And you’ll see me in my car following you. Oh, and you’ll noticed, I’ve installed cameras in your home because I don’t want to miss anything when you’ve got the curtains pulled.” I would not be okay with that.

Is my approach extreme? I would argue that it is as extreme as it needs to be to match the degree of invasiveness and violation being carried out upon my daily life. And let’s not kid ourselves about false separations of digital life and “real life”. Our digital lives and our real, day-to-day physical lives are now so intertwined that they are the same thing. I would not tolerate a home invader in my living room, why would I tolerate one in the devices I use everyday?

My statement was influenced by the fact that I’ve been reading (and enjoying) Denny’s blog posts about his privacy journey which have more details than his original post here.

Thanks for reading and for the kind words. For anyone interested, you can read more on my blog.

Please note, it’s a general blog and while most of what I’ve posted over the past 8 months is tech related I have also written a good bit about culture and politics.

And I can be quite colorful in my language at times.

I’m about 8 months into the process.

I’ll work on a detailed post later. Been converting databases today. But this basically sums up my overall view.

And yes I get the irony of posting an Amazon Link in this thread.

Sadly, that is a fairly accurate description of today’s world, IMO, and it’s been coming for a long time. Which anyone who started receiving “Happy Birthday” invitations from AARP and other companies shortly before they turned 50 years old can attest.

Before 1984 they used to do it just before someone turned 55. Lack of privacy isn’t anything new. The problem is just much bigger now.

Here are my 2 cents. I used to care more about privacy and payed for Proton services for a few years. Now I have a subjectively “reasonable” model for myself. But convenience and not being difficult for my friends and family also play a role.

I do not worry much about email privacy and consider it a post card. E2EE is a two player game and the world does not care. I was happy to have received one PGP’ed mail in my life. So I use iCloud. I have some trust into Apples va£U€$ on privacy. It currently is their business model. If and when that changes I will adjust my family’s tech stack. They offer E2EE for most jurisdictions and will be sued heavily if found lying. And as the case in the UK showed they seem to let us know indirectly. Somewhat puzzlingly the controversial US government seem to be in favour of E2EE. Honi soit qui mal y pense…

However, I keep a private copy on my Mac of my iCloud data and have an SSD for backup. In addition, I try to avoid Google/Meta and other vendors who base their business on profiling me. And I pay attention to where I leave my data and practise digital hygiene by cleaning my online accounts on regularly. In addition, I use the given privacy settings of services I use. I also recommend having a domain registered so changing mail does not become a hassle once your vendor acts up.