Site icon Easy Prey Podcast

Firewalls Don’t Stop Dragons with Carey Parker

Easy Prey
“As a society, we should be thinking about privacy. When we give away that much information, it gives power.” - Carey Parker Share on X

We all use technology. Things like internet browsers, search engines, instant messaging, and payment apps. But we aren’t always aware of the data being collected. This information can not only impact your privacy, but those around you as well.

Today’s guest is Carey Parker. Carey is the author of Firewalls Don’t Stop Dragons, a step-by-step guide to computer security and privacy for non-techies. He also hosts a podcast by the same name. He recently retired from a career in software engineering to focus on teaching others how to defend their digital devices and protect their personal data.

“Privacy and security are different things. They are related, but they are very different things.” - Carey Parker Share on X

Show Notes:

“There is a valid reason to collect this data from a software development and support point of view.” - Carey Parker Share on X

Thanks for joining us on Easy Prey. Be sure to subscribe to our podcast on iTunes and leave a nice review. 

Links and Resources:

Transcript:

Carey, thank you so much for coming on the Easy Prey Podcast today.

Hey, thanks for having me.

Can you give myself and the audience a little bit of background about who you are and what you do?

I'm a software engineer by profession, electrical engineer by degree. About 10 years ago, right about the time when Snowden revealed what he revealed about our privacy and the mass surveillance going on, I decided that I wanted to do something about that. It bothered me. I've always been a private person, but I think in a normal way. I act differently with my friends and my family and my extended family at holiday gatherings versus people at work and my kids.

To me, those are all different aspects of my life. I like to be able to control what I share with different people in different situations. It really bugged me when I found out that our government was doing mass surveillance. I'm not a black helicopter, tinfoil hat kind of guy, but it's one thing to think, “Yeah, this is possible; surely they could do this.” That's another thing to think they are doing this and they're doing it to everybody.

In 2013, when that happened, I thought about what I wanted to do. I always wanted to write a book. So I thought, “OK, I'm the IT guy from my family,” being a software engineer. Everyone's like, “Carey, why is my computer running slower? Should I be doing antivirus software? Is a Mac better than a PC?” Asking those kinds of questions.

I thought, what if I just wrote all that down, and I put it all in a book and tried to help regular, everyday people, nontechnical people, to do the really easy, low-hanging fruit kind of stuff to protect their security and privacy? Honestly, security was my mindset at the beginning. It took me a while and five editions of the book. It's the fifth edition now to really realize that privacy and security are different things. They're very related things, but they're different things.

Anyway, that's how I got started doing that, and that was 10 years ago. Then I retired, and I was lucky enough to be able to retire early from my software career. Now I will focus on this. I've got a book, and then it turned into a podcast where I interview some other people like you do with me. It gives you a great chance to talk to other people.

I do new stuff as well. It's like, “These are viruses you need to be worried about. Here's a privacy concern. Here's a data breach.” That's how I got from there to where I am today.

That's cool. Just so people know, what's the name of the book?

Of course, so the book and the podcast are both called Firewalls Don't Stop Dragons. It's a strange name, but I like my analogies. The key analogy in the book is defending a medieval castle, and I try to make analogies between that and how we have defense and depth.

For example, how a castle has not just one type of defense—it’s got tall walls, it's got a portcullis, it's got a drawbridge, it's got moats, it's got a castle guard; that’s defense and depth. We don't rely on any one thing because there are different kinds of threats that we want backups.

We don't rely on any one thing because there are different kinds of threats that we want backups. -Carey Parker Share on X

Anyway, I use those analogies. The central analogy of the book is defending a castle. Then to bring it all home, the notion of the dragon in the book. In the book, the dragon is the NSA or the CIA or GCHQ. My point there being, if you try to make a dragon-proof castle, you're going to go broke and/or insane trying it. So don't. That is not the goal of the book or should be your goal in life.

I really try to focus on 80/20 kinds of stuff. A lot of the low-hanging fruit, because if we all did these things, we'd be much better off. Firewalls Don't Stop Dragons is the name of the book and the podcast.

Awesome. But today we're talking about privacy. We talked a little bit before we started recording about your perspective on privacy, not just being a me thing or an individual thing, but it's a collaborative, group thing. Can you explain that for the audience in a little more detail?

Yes, and I think this is a key point. I don't really say this explicitly in the book, but it's like two debunking themes in the book. First of all, what I really want to make sure people understand is that it's not hopeless. Privacy or security, they're not helpless, and it's not too late.

You might think the horse is out of the barn. I've already shared some on social media. I posted all these pictures online and made it public. It's too late for me. That's not true. There are a lot of things we can do today that will have an impact. I tried to say that, but then I also focus a lot on privacy and it's not just a me thing as we think.

There are so many people, I think today, who think they understand all the privacy violations that are going on, and they've accepted it. I get Gmail for free. I get Facebook for free because they are monitoring me and they're serving me ads. You know what? OK, I'm bored. I don't care if that's what it takes to get free things. I'm fine with that.

But the point I tried to make is that privacy and security are not just me things. They are we things, as we said, and that's because your privacy and your security overlap mine.

Let's talk security first. If your laptop is compromised and you bring it over to my house and get on my WiFi, there's a good chance that the other devices in my house are now at risk because your laptop on my WiFi is compromised.

Similarly, with privacy, if you post pictures online on your social media and they include probably other people, they may be people you know, maybe people in the background you don't know, but you probably posted pictures of family and friends. Even if they aren't on Facebook, now their photos are on Facebook. Facebook will prod you to tag all those people.

I don't know if people are aware of this, but Facebook keeps profiles on people that don't have Facebook accounts. That's a lot of what they do because they're an advertising company. Same with Google there. These are advertising companies that happen to make these other products. People think, “Ah, that's OK. I don't care about that.” But your security and your privacy overlap mine, but it's even more involved than that.

Even beyond your friends and family, if that's for you, and it should be, we should all be thinking about privacy as a society, as a people, as a democracy. When we give away that much information, it gives power. There's a great book called Privacy is Power by Carissa Veliz. If you haven't read it, I highly recommend it. That gets into a lot of that subject.

We should all be thinking about privacy as a society, as a people, as a democracy. When we give away that much information, it gives power. -Carey Parker Share on X

Edward Snowden talked a lot about that, too. One of my favorite quotes from Snowden was arguing that you don't care about the right to privacy because you have nothing to hide is no different than saying you don't care about free speech because you have nothing to say, and that says a couple of things.

First of all, privacy is a right, which means you don't have to argue for it. You just have it. You don't have to justify it to anybody, but just because you don't want to do anything with it for yourself doesn't mean you don't support the right of other people to enforce it for themselves, to claim their right to privacy even if you don't care about yours.

The other thing it says is that we all need to participate in this. This is a collective thing that we all need to be doing together. It's not just about yourself. We all need to protect things together because as a democracy, as a society, we need space to have privacy. We need to be able to have conversations among ourselves that might be violating some norms, in some cases, maybe even violating some laws.

Interracial marriage wasn't legal going all the way back through history. Laws change, norms change. Just the last couple of years abortion is now legal in a lot of cases, but has kicked back to the states in the United States.

Privacy around that has become a big deal too, and you might be giving away someone else's information by posting something a little bit, oversharing on social media. We're all connected now, and it's all important that we understand that it's not just about yourself, but we need to be protecting this for all of us.

We're all connected now, and it's all important that we understand that it's not just about yourself, but we need to be protecting this for all of us. -Carey Parker Share on X

I remember reading recently a story on CNN that the children of the first Facebook users are now becoming adults. They're hitting their early 20s. This particular story was about a woman who basically has no privacy of her upbringing and how that's impacted her. Her mom posted all these significant events in her life almost daily up until she was an adult. Now she has like, “I have no privacy in my youth. There isn't a story that my mom hasn't shared about me. My whole life is an open book because someone else made a decision without my permission to do this.”

That's a great point. Absolutely. That's where it overlaps. It's not just about you.

What are some of the things that companies are doing with our private information? How does that spin off to other people?

There are a lot of cases like that. One of the ones that always comes to mind when this comes up is the priest who was outed by his Grindr data. These apps, and in some cases, the Grindr app in this case, probably was using a software SDK. They probably weren't doing this necessarily themselves.

As a software engineer, I can tell you when you build software, a lot of times you don't want to reinvent the wheel so you bring pieces and parts from other places. You buy third-party things off the shelf or sometimes they're free. The reason they're free oftentimes is because they're collecting data.

Some of these apps have these built-in things where maybe it's a feature for checking in. I want to know where you are so that when you go to someplace, I can offer you coupons or we can maybe social media kind of thing. You can say, “Here's where I'm at this time.”

What happened with this Grindr data is this group wanted to find out, they thought that maybe some of the clergy were doing things that were against their vows and certainly against the church teachings. They bought, on a third-party, a bunch of location data from some of these apps. It turns out that you were able to find a particular person based on the location that was supposedly anonymous data.

That's another thing that we're often told is, “This data is anonymized,” but location data is really hard to truly anonymize because your movements are very specific to you and they were able to figure out with some geofencing and some of the things they were doing. They figured out that a priest was frequenting some places that were gay bars or things like that and they outed him and he lost his job. That's one example.

What's really going on here is all these companies—Google, Facebook—all these third-party data brokers are collecting all this data ostensibly to improve the advertisement that they give you, but because they're collecting all this data on us, this data can first of all, get loose. Hackers can get ahold of this data. Certainly foreign governments are very interested to find this data. They would be wanting to find out about politicians or military movements or things like that.

Hence the concerns about TikTok.

Yes, TikTok and Strava, which was a running app, they found a lot of bases in Afghanistan where people […] were automatically plotting their running routes and they're in the middle of nowhere. Then people figured out that it's not really in the middle of nowhere. There's a secret military base there.

These companies collect all this data extensively for marketing purposes. Then bad guys or governments, including law enforcement and foreign intelligence agencies, can get ahold of this data and do a lot more with it.

We are really enabling us with all this free market economy that we have where we're giving up all this data through all of these apps, apps on your phone, social media, things that you're doing. It turns out it gets bought and sold for a lot of purposes, and all that collective data—again, not just on yourself. You’re traveling with other people in the car, for example, other people you take photos with get identified by Clearview AI and the tools like that that do facial recognition, expose a lot of us to privacy invasions that a lot of us are not thinking about.

When it comes to the government, in particular, they have a lot more power than us. Our governments have the ability to put us in jail or fine us or things like that, that we don't have. It's an asymmetric relationship, and that data can be used against us there too.

We have to be careful not to demonize now that we're doing it, but careful that we're not demonizing app developers necessarily. Because if I remember right, there was one of the analytics packages that was made that someone made available to developers collected ostensibly just for when are people using the app? How are people using the app? But it was collecting a lot more data behind that.

“I thought I was just doing stuff to make my app better, but I didn't realize that it was going off and doing this other stuff.” The same thing with all the ad SDKs. The developer doesn't know what it does. They're just including it because they want to have some ad revenue to offset their operational costs.

Right. As a software developer, that data is very valuable to me. I understand. I was in DevOps, which is development operations. When we were deploying devices all around the world at Cisco, they were pumping back lots of data for us.

One of my mantras back in the day was I wanted to know about the problem before the customer did. The telematics that we were getting all this analytic information helped me do that and helped me do my job. I understand that. The problem is if you're not careful with it, it could be used for other purposes as well.

Yeah, I like that. The reality was you're trying to find out problems before they happen. I was thinking, “OK, you're deploying a VPN application. If an upgrade of it all of a sudden starts dropping the VPN connection, you want to know that before your users report it so you can fix it on the next update.”

Or roll back the update.

Right. But if it's a platform that you use from somebody else where there are just so many things these days where you're rolling in something from somebody else in a development.

I get that too. I understand that, and you're right. So the problem with a lot of this stuff is it's really dual purpose. There is a very valid reason to collect a lot of this data from a software development and support point of view.

The way a lot of these things work is certainly as a regular app developer that without a company behind me, I bring in a lot of these pieces to these software development kits because I can't afford to develop those things on my own.

What that means, unfortunately, in the background, is that there are some third parties that put these SDKs in many different apps, and they are now also getting that data, and they are monetizing it in their own way.

I'm sure somewhere in the terms of service for you using their SDK have agreed to allow this to happen and you're supposed to put that in your privacy policy for your app so the end user is supposedly aware.

Notice and consent is another thing that's very broken when it comes to privacy. But there are all these third parties that are collecting and out the back door, they're selling it to honestly whoever's willing to buy it.

I don't think people particularly have a lot of discretion and who they're selling data to. It's their business model. “We sell data.” I guess if you came along and said, “Hi, I'm Isis or Al Qaeda. I want to buy data. I'm a known terrorist organization. I want to buy data.” People would probably be a little skeptical about it, but usually those types of people aren't announcing who they are and adversarial governments aren't buying it through the front door. They're buying it through some cloak-and-dagger business that buys data. No one would ever realize.

By the way, that's another great book. I just interviewed Byron Tau who wrote a book called Means of Control. That's another great book to read if you're at all on the fence about privacy and the way some of this data could be abused. Read Means of Control. It's a great book.

I think a lot of this stuff is, to me, like trade-offs of who you do and who you don't trust, or who you think is a little bit more trustworthy than someone else. Lots of times, people are like, “I want to use a VPN,” and I'll be upfront that I promote VPN usage, but there's an understanding that you're trading who you're trusting.

Absolutely.

You're saying, “OK, who do I trust more? My ISP, the coffee shop who's providing the Wi-Fi, or the VPN provider? Who do I trust more?” If the VPN is free, then they're selling data.

Yeah, sadly even if it's not free, they might be selling data. But yeah, certainly if it's free, in many cases, I would avoid it. VPNs are really, I think, misunderstood—what they do and what they don't do, and what their real purposes are.

Back in the day, it was to connect road warriors or maybe people working in remote offices back to the home office. To literally virtually connect you to some other network that your corporate network usually and it wasn't really about privacy.

We've been trying to shoehorn that technology into privacy thinking if what you don't trust is your ISP, your local ISP—and by the way, that ISP could be McDonald's, Starbucks, the airport, whoever is currently providing you access to the Internet is your ISP. If you don't trust them for some reason, then yes, a VPN can hide your traffic from them. By the way, your ISP is tracking you. They are noting where you're going.

A lot of your connections today, thankfully, are encrypted. HTTPS is now standard. About 90%–95% of connections are now that way. But there's still a lot of metadata there, including the DNS lookups, and how much traffic you're sending, and when you're going, and how often you're going. That metadata is still liable too.

They know if you're going to YouTube; they don't necessarily know what videos you're watching and maybe some other services that you don't want people to know what videos you're watching.

Correct.

They know you're going to that site.

You're absolutely right. Then what you're doing is you're trading mistrust in your ISP for trust in the VPN provider. If that VPN provider is logging everything you do too and selling to someone, it's just a different way of doing it. Yes, you want to go for a quality VPN, hopefully, one that doesn't log and things like that. But yeah, it's tricky. Let me put it this way: VPNs really aren't meant to do what we're trying to make them do in terms of privacy.

They were designed to connect you to devices in a different location, but it's how we've chosen to…it does what it's supposed to. When properly configured and done does what you want it to do.

Yeah, unless what is it? The option 121 comes in and they reroute traffic. Anyway, there are some weird technical things.

I know you said earlier that you're not a tinfoil hat person, but I want to ask a tinfoil hat question just because this is a field that you're interested in. Would you expect that one of the major VPN providers is run by a nation state?

Well, it's funny you asked that question because I just interviewed Joseph Cox about his book, Dark Wire, which was about the FBI running an encrypted phone company.

In the criminal underworld, they want private communications. Obviously, they're planning crimes, and there were phone companies that had sprouted up to meet that market. One of the big ones had just gone under, and the FBI was trying to use them to backdoor that device.

One of the people associated with that came forward and said, “You know what? I'll tell you what. If you let me off the hook, I was about ready to launch this other phone thing called a […]. Why don't you guys run it and then you guys could get all the information?” They did it, and they ran it for three-plus years, and all the bad guys were buying these phones for each other. This is the greatest thing since sliced bread.

Then they were, and when things started going back, they never blamed the phone. They're like, “There's a mole in my unit or something.” Then finally, the FBI just rolled this whole thing up across the globe and said, “Yup, that was us. We were running these things the whole time.”

To your question, I don't know. I don't know that you can know. The best thing you can really hope for is to try to find somebody who's got a good reputation. I like Proton and Nord. It is interesting too—Express VPN or some other ones people have liked—where are they located? Where are they headquartered? What law jurisdictions are they under? Do they do logging? Do they have independent third-party audits? That's something I definitely like to look for. As a regular human being, we would probably never know if that was going on.

The key thing is just don't do illegal things.

Right. It comes in a threat model. If you're a drug kingpin and you're moving thousands of kilos of coke, that's one threat model. I'm guessing you and me and most of our audience today, if you're just a regular everyday person, that's a whole different threat model.

Don't let a lot of those stories about those things scare you. Know that if you do the basic things—again, 80/20 rule, there's a lot of low-hanging fruit—and just do a little bit of homework on these, you'll be so much better off than most people. It's worth doing.

What are some of the 80/20, low-hanging privacy fruits? There are definitely things that I do. Before my favorite sandwich shop closed, they had a clipboard asking for your name, email address, phone number, and your date of birth so they could send you 10% off on your birthday. I looked at that every day that I walked in and I noticed that there were always different people's names on there. I thought, “I'm definitely not putting my name on there.”

Low-hanging fruit for privacy. One of the things I tell people for sure is stop using Chrome. I know it's the most popular browser on the planet, but it's made by Google, if you don't know that. Google, as we've said earlier, is an… Share on X

Low-hanging fruit for privacy. One of the things I tell people for sure is stop using Chrome. I know it's the most popular browser on the planet, but it's made by Google, if you don't know that. Google, as we've said earlier, is an ad company. Google has been trying to do some good things around privacy, but at the end of the day, they're so conflicted. I can't trust them on privacy.

They want to do things for general privacy, but they're not willing to turn off things that benefit them in terms of privacy protections.

Right, because it's almost always the attitude that we're going to keep you private from everybody but us, and you can trust us. What is the implication? They often say we don't sell your data and that is true because technically they're selling access to you not selling your data. The data is the gold for them.

They are the advertising company so they collect all the data, and they use that as an advertising company to feed you targeted ads. In that sense, they're not really giving away your data, but they're certainly collecting that data and using that data.

They're monetizing your data.

They're monetizing your data, absolutely. I mean it's a capitalistic society. That's what they do. That's how they make their money. You just need to understand that. I would not use Chrome browser.

I like Brave, Firefox with a couple of plugins, like either Privacy Badger, or I really like uBlock Origin. If you set the privacy restrictions on Firefox to strict, you're in great shape.

Safari, actually, on Apple's not bad either, but it's only on Apple. I tend to try to promote things that are cross-platforms so that everybody can use them. DuckDuckGo has a decent browser as well. Those are all way better in terms of privacy than Chrome.

That is an easy one. You don't have to get anybody's permission to do that. You don't have to coordinate with your friends like you might if you're going to Signal, for example, which I'll talk about in a second because that takes two to tango, at least.

That’s something you could do unilaterally. You can import all your bookmarks, you can import everything from your current browser, whatever that is, and it's like you never left. Browsers are browsers. It's pretty easy to go from one to another. That is something I would certainly do.

The other thing, to your point earlier, it's become a lot easier today to come up with email aliases. Companies love to get your email address and your phone number because most people only have one or maybe two. Those become unique identifiers, almost just like a Social Security number. You can port your number from Verizon to AT&T, or wherever you're going so you can keep that number for life, and most people do because they don't want to tell everybody what a new phone number is. But there are ways.

It's hard to do with phone numbers, but there are certainly ways with emails where you can have aliases and you could give a unique email address to everybody who asked for your email address so that when the companies try to correlate you across all this data, they're like, “It's that person, that person, I don't know. The email addresses are different.” That is one way you can throw them off the scent and not leave as many breadcrumbs. That's another easy, low-hanging fruit thing you could do.

With phone numbers, you can get VoIP phone numbers. Look at Hushed or MySudo. There are some other companies that allow you to create secondary phone numbers. It'll cost a little more money to do that. You can't just willy nilly create hundreds of them, but you could do a few of them. You could do a handful of them. I only give out a Hushed number for most of the people who demand that I have a phone number, and the nice thing about most of these, they can accept text messages as well.

Most of them, like when you go to a restaurant, they say, “Give me your phone number because that'll get a little vibrate.” They want your phone number and they want to text when your table's ready. Of course, somehow that information gets sold to somebody so you can get this other number instead. There are ways that you could use aliasing to stop all kinds of cross-correlation of all this data.

We'll get to the messaging apps. What about search engines?

Brave Search is pretty good. DuckDuckGo is pretty good. There are some meta search engines that use Google in the background and supposedly keep you from being tracked that way. Personally, I've been very happy with Brave Search. Google search has gotten horrible. I mean, you have to scroll down a page or two before you get past all the sponsored crap and the AI-generated stuff that tells you to put glue on your pizza and all that stuff—it’s gotten really bad.

I think I had heard that the guy who took over Google Search used to be an ad guy, and that was a recent change. I think that's part of the reason why it's gotten so bad in the last few years. I'd say DuckDuckGo or Brave Search.

How about online payments? I'm intentionally being vague here because you might have some ideas that I don't.

Online payments are tricky. I definitely would not use Venmo. Venmo was a social app. For the longest time, everything you did with Venmo was public. There were people that were getting busted for buying pot because they put money in my drug dealer or whatever is the message on their Venmo transaction.

I think they actually found Venmo transactions from the president at some point because it was all public by default. I think they may have finally changed that. Don't use Venmo if you can help it. Zelle is something that's been used by banks. If you have to use something, you use that. PayPal isn't horrible, but it's not great. The online payment system is pretty bad.

Apple Cash is pretty nice, but it's only within the Apple ecosystem right now, so it has to be Apple to Apple. The new iOS 18 is going to have the feature where you didn't even have to know somebody. If you're in physical proximity, I can give you $20 by tapping my phone to yours. I don't have to know who you are. That's nice.

What about companies that offer virtual credit cards?

Oh, I'm glad you brought that up. I use privacy.com, which I really like. To the external world, it looks like a credit card. To you though, it's really a debit card. It's a little different because you don't get a 35- or 45-day grace period to pay it. It comes right out of your account. But it allows you to create a custom virtual credit card for each payer or each person you're trying to pay. You could have it set to a fixed amount, a fixed amount per year.

One time you can set all these things that blocks them from getting a lot of the information you normally would get. Because, by the way, MasterCard and Visa are selling your data as well. They have arrangements with the people that take their payments to do so. That is a great feature, so I recommend checking out privacy.com.

If you use Apple Pay, by the way, it does also a very good job of not giving away that much information about you to the person you're buying from. I like using Apple Pay as well. But again, that's Apple only.

I was going to ask about social media, but social media and privacy are opposites. I don't think you can use social media without having major privacy issues, but I suppose there are things like on Facebook, there are probably some settings that you should use?

I don't even know what I would put there. First of all, let me just say that I understand the value of social media. I think other than the algorithmic feed part, when you're viewing stuff from the people you actually want to follow, like your friends and family, I think that has value the way they used to do that.

I personally like Mastodon. If you're on Twitter or Threads, give Mastodon a really hard look. That's a social media thing I get behind. But a lot of people on Facebook—I understand the value of being on Facebook. Just make sure that the things that you post are not public by default. Restricted as much as possible.

Because the people that you really want to see are just friends and family. I know some people like to post what they're eating today to the entire planet. If you want to do that, great. Social media is generally not good for privacy.

I definitely know some people that if there is ever somebody who is not an adult in the photo, that they put an emoji over the kid's face because they've decided, “I don't know what this kid's future opinion is going to be about these things, therefore I'm just going to cover up their faces.” They don't have to have that in their history in that sense.

Realize that when you're taking photos on your iPhone, which has a built-in GPS chip, that location information, by default, is embedded in the metadata of that photo. -Carey Parker Share on X

I think that's a good idea, certainly for kids. Realize that when you're taking photos on your iPhone, which has a built-in GPS chip, that location information, by default, is embedded in the metadata of that photo. Now, a lot of social media apps will strip that before they post it, but they still get it, so they know that.

But even creepier than that, especially when I'm glad you mentioned kids because you can often, even without GPS information being embedded in it, there are a lot of AI tools now that will find where that picture was taken by looking at what's in the background. If you think about, “Wow, how could that possibly be? Just look at Google Maps and Street View. They have cars running around everywhere that have pictures of just about every place from every angle.

It will not be that difficult. There are already tools today that can help you figure out where a photo was taken just by looking at what's in the background. There are creeps out there who will use that to figure out where your kid is. I hate to say it, but yeah. For kids in particular, absolutely. I agree.

I've been particularly impressed by some people in the OSINT community who, when those public tools can't find things, the amount of things that they can find are pretty crazy. I was interviewing one person, and I'll try to link to the episode. I don't remember who it was at this point. He worked in the OSINT community, particularly for missing and exploited kids.

They had a picture in a hotel room and the window was open. You could see out across the street. They were able to figure out where in the world this photo was taken. They were able to figure out the exact hotel room where the photo was taken because they had people who are like, “That's a very unique style of window frame on the shutter on the opposite side. It was only ever used in buildings that were built in this particular region in this particular time frame. You can look at the sunlight and be able to figure out the shadows.” Then they had someone who was like, “Oh, I live in that community. I will go look.” They were able within a couple of days to figure out this picture was taken from that hotel room up there.

AI is just going to start doing that stuff for you.

Yeah, it's going to do that natively.

Yeah, it is.

We talked about social media. Messaging apps.

The gold standard is Signal. They have been doing this for a long time. It's one of the few tools that's free that I can say they're not monetizing you. They are really doing this from an altruistic perspective.

Moxie Marlinspike, who's the guy who was behind most of this and is now moved on created just an amazing cryptographic tool that has become, again, the gold standard for private communications. And it's easy to use. It's gotten so good.

It works like iMessage or anything else you’re used to. It might not have some of the whiz-bang features. It doesn't have quite the same emojis and GIFs and that kind of stuff, but it still has some of that and it is by far the way to go.

WhatsApp, which was bought by Facebook is based on the same protocol, but the reason I can't recommend it the way I would recommend Signal, even though under the covers, technically, it's the same thing because when we talk about end-to-end encryption, it's to the end. At the end of that, where it's decrypted, where it shows you that is also Facebook. Facebook can see everything you can see and they are. I can't recommend it.

It's certainly better than nothing. iMessage actually on the iPhone is pretty darn good. If you're doing blue bubble communication, meaning you're talking to someone else on an Apple device, that is end-to-end encrypted, and that is fine for most people. But it's a crapshoot because if it fails for any reason, it'll back up to SMS green bubble, or if the person you're communicating with, you don't know is on an Android phone, you can't guarantee.

I personally prefer Signal. There are interesting other ones, but you need to find ones that everybody can use. The de facto recommendation for me is always Signal.

Awesome. Are there any other platforms or communication methods that we've missed here?

Let's talk about email. Proton is my go to for encrypted email communications. Email is trickier because email is an open standard. If I'm on Outlook and you're on Gmail, we can communicate. The emails work just fine because the standards are there and it doesn't really matter what you're on, thank goodness.

Unfortunately, email wasn't designed with encryption, certainly not end-to-end encryption built in. The way it works today is it's encrypted, like from your device into the Google servers and from the Google servers to wherever it's going. That traversal is probably encrypted, but at Google, it's not. Google may encrypt it on the servers, but they can read it. They have the keys, so it's not private. It's not end-to-end encrypted, so it's harder to do.

Emails are encrypted in transit only.

Yes.

Mostly.

But they have the keys. It's not what we call end-to-end encrypted, meaning that the only two people who could read that are the sender and receiver. If you really want that, and again, the easy button there is Proton Mail. The sad part is you pretty much need both of you to be on Proton Mail for that to work right, or at least for it to work seamlessly. Though Proton does have built-in capabilities to send encrypted mail to people that are not on Proton, they’ll have to enter a password and do a little bit of extra stuff. But you can do that that way, too. It's harder to do, but it is possible.

Proton's basic, entry-level account is perfectly usable. They've got calendars, and they've got VPN. They've got a password manager now. They're coming out with a docs program. I've actually interviewed the CEO of Proton four or five times now and they're doing great work at creating some really great products. They bought Standard Notes. They bought a simple login for email aliasing. They're doing some great work.

There's Mailfence. There are other end-to-end encryption email programs available, but the easy button choice is Proton.

Got you. Have we missed any? We've got browsers, search engines, messaging apps, email, social media, phones, and credit cards.

Covers a lot of grounds, actually.

Automated assistance. I'll call Alexis but with slightly different words.

So it doesn't trigger anything.

I don't want to trigger anything for anybody.

I've heard it called lady A, which is of course, but yes. Again, Apple has done a much better job with this than certainly Amazon or Google. A lot of this AI processing that they're doing, in this case, language processing, Apple has tried very hard to do it locally on device so that your information, what you're saying, and the processing, that doesn't have to go to a cloud.

A lot of AI processing today is still done in the cloud and that's where a lot of privacy concerns come in, that I don't think a lot of people appreciate. All these companies are throwing AI features into their products, which means that somehow behind the scenes, your data is being sent to some cloud service to be processed and then come back.

Apple's done a much better job of trying to do as much of that on the device as possible, using neural processing engines on the iPhone or on your Mac so that it stays private.

With their new release, the Worldwide Developer Conference has this new thing called Private Cloud Compute, which is just mind-blowing. I can't wait to see the technical details of that, but they have gone to extreme measures to do cloud-based AI processing with zero knowledge about who you are or where that's coming from.

It's like, I've figured the Tor network, but they're using some elements of Tor and some of these other things to make it so that they can't know who you are and doing a lot of obfuscation for that.

Any AI stuff you have to worry about because it's probably going to the cloud. -Carey Parker Share on X

Any AI stuff you have to worry about because it's probably going to the cloud. They'll say that it's anonymized or it's encrypted or military-grade encryption, but they can still oftentimes figure out who you are, and they might be able to monetize the data with which you're getting processed. Not just voice assistance, but all this AI stuff.

When it comes to AI assistance, I would certainly go to Apple HomePods and the Apple ecosystem. I think they're not perfect, but currently they're much more private than Google or Amazon.

Should we be using other AI tools, or should we assume that all the queries that we put into those things are effectively public?

You should assume, for the most part, that they will be public. Know that whatever your prompts are and the responses are in the conversations you have with these tools can be or at least theoretically could be recorded and associated with you at some point. Yes, be careful what you're doing. In fact, a lot of companies are banning the use of these things in-house because they're afraid they're going to be giving away intellectual property.

As a coder, these tools are wonderful for generating working code, but you start doing that too much and these third parties are going to be having access to the code that you're putting in your products, which could certainly have marketing effects, if that may be security problems.

You should generally assume that, except with again, I think Apple is really going to try to break the mold on this. This Private Cloud Compute thing is really game-changing if they can get it to work. If it really works as well as they say it does, but yes, until then, just be careful. Just know that what you're doing basically could be saved and recorded by somebody else.

Oh, I just thought about another one: internet-connected automobiles.

Yes, privacy in cars. Actually, look up privacy4cars.com. I've interviewed a guy named Andrea Amico who runs that. I've also interviewed the folks at Mozilla, who did a report last fall about privacy, not included on cars, which basically all cars are horrible. Kashmir Hill at The New York Times is doing some great reporting on this. It's really coming to a head. Car privacy is absolutely horrible, and there's almost nothing you could do about it. Almost nothing.

Salesmen are being told that you can't let the customer out the door after buying a new car without them having installed and set up the car app. There are a lot of things you want to do with that app on your car. I understand that. You want to heat it when it's cold. You want to get it cooled off when you're sitting in the restaurant and it's 95 degrees outside and you want to tell your car, “Get cold for me before we get there.” I understand that. That's cool. But unfortunately, these cars have cellular modems now and they are collecting all this telematic information.

Even if you haven't subscribed to the service.

Yes, even if you haven't subscribed to the service. That's a very important point to make. You might think, “I didn't pay for the in-car Wi-Fi, so that's not happening.” Oh, no, it's happening. Again, this could be used for very important things. Like if your car is in a crash, they can call emergency services for you. I get that.

But they're also collecting and selling that data to other people to the point where if you've seen the articles there was a guy who went to get a new car insurance and everyone was quoting them rates that are 20% or 30% higher than what he's currently paying, including redoing with his own company. He's like what is going on here? He finally got one of them to tell you, “We'll check your report.” Like, “What report?” He had unknowingly opted into a driver awareness safety program with his vehicle.

It was very vague and was not clear that this was what was happening, but they were collecting data on him. When he broke his brakes too hard, when he accelerated too hard. These other things that might be associated with somebody who is a poor driver and that was all collected by LexisNexis and all the insurance companies got that guy's report and said, “You're a risk so we're going to raise your rates.”

Car privacy is absolutely horrid. Some of the car privacy policies, I think, who was it? Nissan or one of them actually said, “We might collect information about your sexual activity.” It was in the privacy policy. I don't care how you do that. I don't want that in my privacy policy for my car. Yet, what are your choices? You can't not do it. You can't really opt out of it. We need laws, unfortunately, right now because there's nothing stopping these people from doing this. It's horrible.

In theory, I know why they say that because they probably have a driver-monitoring camera and it potentially picks up other activity in the car, though they're not claiming that it's that accurate or that sensitive.

They want to cover their butts in case.

The lawyers say, ‘Well, this could happen. Even if it's not happening today, we want to include that in there so if something ever happens in the future, it's covered, because we said that in our privacy policy, which no one reads.”

Well, you can't. Honestly, I understand it when people say they don't read a bit. Even if you do read them, it doesn't matter. You can't understand them. They're so vague and the language they use has a dark pattern. It's meant to be confusing and it's meant to be vague to cover their own butts. It wouldn't matter if you read it anyway, even if you could.

But there actually was a case where Tesla engineers were looking at videos, because there are cameras all over a Tesla, and apparently I think people walk around naked in their garage or whatever was picked up on a car. These Tesla engineers were looking at these videos and they were caught doing it. It's happening. It's not just theoretical.

Any other parting advice for privacy for ourselves or for others—because it's a we situation, not a me situation—before we wrap up?

One other point I'd like to make when I want to talk about privacy versus security and I don't mean that in the way that you have to have one or the other. Some people are diametrically opposed. Some people, certainly in law enforcement or intelligence agencies, say in order to secure you, we need to give up privacy. I disagree with that. But when you're thinking about the differences between security failures and privacy failures, most security failures can be fixed. Let's say your computer's compromised. OK, worst case, you could buy a new computer.

Even if your money was taken, you could maybe get that money back. If it was federally insured or depending on what the scam was, you might be able to recover some of that. Those are the things you can undo or fix or recover from.

Privacy failures are not the same. You can't erase people's memories. You can't take stuff back once it's been exposed. Privacy in that sense is something you don't want to screw up because the consequences are more dire and more permanent.

If none of this has convinced you, first of all, you can read my book because I talk about this extensively in my book, but also Privacy is Power by Carissa Veliz, Means of Control by Byron Tau. I've got some other resources on my website that you might want to look into, including if you want to watch videos or documentaries instead of reading books, I've got some things you can look at there too.

Convince yourself that privacy is important, and privacy is not just about you. It affects the people around you, and it affects all of us as a society. It's something that's really, really important, and we need to pay attention to.

Convince yourself that privacy is important, and privacy is not just about you. It affects the people around you, and it affects all of us as a society. It's something that's really, really important, and we need to pay attention… Share on X

Frankly, in the US, we really need law. Be a citizen. Vote not just with your wallet, but go to the ballot box, go to the town halls, challenge your representatives to ask them questions about “When am I going to get a privacy bill and privacy protections?” Fight for privacy because it's in really, really bad shape.

I don't think that there's any way out of this regulation. I know people don't like regulation, but it's the reason you can get on an airplane without personally inspecting it. It's the reason you can go out to dinner and not have to go back to the kitchen and make sure that they're doing the right things. It's the reason you could take pills and not have to personally do trials to make sure it doesn't kill somebody. That came from regulation. That's what regulation does on a good day. We need privacy regulation.

Where can people find your website?

firewallsdontstopdragons.com.

That's easy. The name of the book, the name of the website. What's the content of your podcast?

I put out a weekly podcast. I've been doing it for almost eight years now. I'm coming up on the 400th episode. The pattern I've settled into is I do a new show, which each of these shows is about an hour. I do a new show every week where I get to catch you up on the things that are happening. The key thing is I break down these stories in the ways that make sense for you. A lot of times, these stories are either overhyped or they hype the wrong parts of them.

A lot of my job is debunking some things that the media covers wrong. Other times, it's finding stories the media missed that are like, “These are important. You need to pay attention to this, and here's why.” I have a new story, which usually includes a tip of the week, something actionable you can do, and that goes with my blog.

Then the other week, the odd week, the off week, I interview experts in security and privacy from around the world. I've interviewed some really amazing, interesting people. I love doing it. I love talking to these people and getting into these kinds of conversations. That is the format. And yeah, God willing, I'll be doing it for a few more years after this.

Awesome. Everybody, you need to go out and listen to the podcast. Go sign up now, go subscribe.

Please do check it out. Tell your friends.

Carey, thank you so much for coming on the podcast today.

Hey, thanks for having me.

 

 

Exit mobile version