There’s a lot to say about this news. The fact that the service sells privacy as the product even more than the service itself, to the fact that free accounts are inherently more secure than paid accounts owing to this utterly unforgivable loophole in their protections for customers. The fact that aiding an active regime of war criminals is being brushed off as ‘following orders.’ The fact that they are using the buffer stage of rolling over for their own government as the excuse from ridicule. The fact that you are constantly bombarded with upgrade/upsell ads when using the service which all - again - focus on buying privacy and security. The fact that they have a glib, canned response and astroturf trolls on social media trying to steer the conversation into personal accountability. All of it is obscene.
Proton has taken an immediate, reactionary, hostile approach to this being leaked to the news. They call it click bait (it’s not). They call it misrepresentation (it’s not). They have their brand-identifying user base marching for them in social media comments, decrying the person for not obfuscating their own payment methods rather than blaming the person who lied to their user base (they did). They call it anything but a problem for them to solve, violently hand waving to the point of slap fighting.
Pump the breaks there, Squirrely Ma’am.
And as problems go, Proton, despite being A problem, is not THE problem on display here. They suck. Do not think I’m in any way asking for absolution for their utter shittery. Rather, there is an inherent problem with any service you do not personally host. When faced with compromising their advertised ideals, they are only as strong as their board members will allow them to be. Promises are free. Actions are not. Until an event occurs which burns away the facade they’ve built in times of easy sailing, there is never a guarantee that any entity you don’t control won’t immediately cave to any outside pressure deemed too difficult or expensive to challenge. In this case, rather than even test the laws of their home country, the company scuttled the ship at the first sign of a boarding party. Being a Not For Profit just means the decision was made by people who didn’t want to deal with the hassle of defending their product’s core feature, rather than being a fully financial decision in the endless pursuit of more profit. Same outcome.
There’s no solution for this, from the standpoint of the average consumer. Hosting your own e-mail service is no longer tenable for nearly anyone and doing it in an anonymous way is basically impossible. Constantly using throw away accounts means not having a permanent address and basically makes e-mail about as useless as a rain-soaked ValPak stuck to the top of the communal dumpster lid.
There are a few mitigations, but no matter what you do, ultimately anything hosted outside of your control is outside of your control. VPNs? Doesn’t matter what the law is where you end up. With enough pressure, it can all be linked back to you if any piece of identifiable information is involved. Your payment method? Easy. Your originating IP? A little harder, but not by much. Even if you hop and hop and hop, the trail exists. Your only true option for anonymity is burner hardware that you dispose of after use. And that’s economically and ecologically a horrible option. All you can do is make the trail back to you as hard as possible to follow. I know it sounds as if I’m echoing the people who blame the victim for not obscuring payment info, but their action - in this case - is correct. The blame still lives with the company that lied, but in praxis, that’s little consolation. It is, however, a good way to find people to block on social media.
There are a few things you can do to make the pursuit of your information a high enough cost of entry to prevent a free bingo square for the pigs and pigeons who might want to find you. First and foremost, don’t believe a goddamned thing any company says about privacy in regards to selling it to you.
It’s not aliens, Mulder. It’s always just greedy old white guys.
Second, don’t pay for any service you want to be anonymized through an account linked easily back to you. Prepaid cards are an option (bought with cash, preferably). Crypto is about as anonymous as a Zorro mask worn while showing off a chest tattoo of your driver’s license and the world built around it is very similar to these privacy-first services. They do not actually protect you from anything. The manifests for transactions can, with a bit of forensics, bet rebuilt pointing right back to you unless you did the initial buy in a completely anonymous way. If you’ve already got your foot in that quicksand, do what you will. But for people who don’t want to touch it, stick with converting cash to anonymous payment methods in the real world.
Third, use free accounts with false information to run any protest organizations. Don’t use subscription based services that force you to keep a payment record on file. Freedom of speech, and in fact, the entirety of the Bill of Rights has been shown time and time again to not be anything but a promise to gullible customers. Especially when critiquing capitalist dogma or elite class supremacy. You can go online and talk a child into killing themselves or walk into another state and open fire on brown people all you want and it’ll be considered your undeniable right. But say that you think rage-fucking the entire planet into apocalyptic extinction is maybe not so good and your information will be handed over without a second thought. The Mrs. Kravitses of the world are overwhelmingly fascist-leaning and will drop more dimes than a busking hedgehog running into a spike trap.
There are options like co-op service subscriptions where ownership is decentralized among a few people who trust each other or running through the absolute dredges of humanity along side illegal pornographers, human traffickers, and raw milk peddlers. There’s a high bar to entry in understanding things like the Onion network and an even higher bar of technicality in implementing those understandings. You’re still stuck with the first-payment problem, in most cases. Getting comfortable with using cash is still the key element to protecting yourself from payment provider abuse. Laundering your completely legal activity should not be something we are required to do and my hope is that a lawsuit arises from this that costs Proton much more than they would have spent defending the principals they sold. The world does not deal in fairness, though, and the business self-preservation instinct is myopic, amnesic, and very, very stupid, so lessons will likely be ignored even if that does happen. All we can do now is tell people who blame victims to shut their fucking mouths but take their methods and internalize them.
The myth of the anonymous Internet - and it has always been a myth - is slowly fading as the average Internet user watches their protections and rights to be ignored wholly forgotten in the mad rush for capital-building information. While forensics have been able to piece together identifying markers from online activity for decades, the cost of doing that work has gone down substantially in recent totalitarian regimes. In the United States, the fourth amendment has generally held that your privacy, digital or otherwise, cannot be invaded without judicial intervention. Just cause has turned into “just ’cause” overnight with the very public dismantling of checks and balances. Private tech companies no longer worry about rolling over for fascism causing their stock to drop. Humans are no longer their customers. Speculative bubbles are more profitable and if they never have to put the money back into the pot - rather, just hand it back and forth to one another and tip their hats like playground pantomime - they are all the more happy. So why bother saving face when you can get special treatment by playing ball with dictators? That hurdle has classically been the most difficult one to overcome when doing Internet sleuthing and it has eroded entirely.
Palantir and its precursors, along with government programs like PRISM, work their way into boards and halls of tech giants. They use kickbacks, permitting, and all sorts of bribery to make sure that the biggest-named players are all in on the grift of faux security in modern tech. But tech is less secure than it has ever been. It may prevent low-rent script kiddies from scamming your Roblox account, but everything you do on most of your devices can be laid bare in seconds if someone merely decides to look.
I wish I could tell you Andy fought the good fight. But he just memed and masturbated. Constantly.
Again, this is not new. Logging has been fundamental to computer network interaction since its inception. Things needed for reliable communication over an infrastructure made to carry flustered Trans-Atlantic accents from Pennsylvania-65000 to Klondike-5555 were already being stored so these digital bridges could be created. Endpoints had to be known. Routes had to be known. Owing to this, there was little anonymity in computing from the start. Anonymity was added, intentionally and otherwise. Log files take up space, so anonymity is bolstered simply by not storing this information past the active session. But compression got extremely good, extremely fast. Especially for text. Logs became less and less a storage concern and more one of privacy well before AOL shipped its first disk. For a while, privacy was a top tier feature in online communication. At least, behind the scenes. People love to identify themselves. It’s almost like we are all apes made of existential dread and routine. Because we are. As the net became more ubiquitous, people started realizing the importance of privacy. Not for illicit acts, though certainly those were in the mix. But for every day activities that were becoming more common online. Communication with friends, family, doctors, colleagues. These all needed some protection from prying eyes. Encryption technologies became an arms race against bad actors trying to hijack communications to steal what information they could. At the same time, however, companies began realizing how much of the data flow they controlled and how much that data could be used to create targeting for themselves. Then, they realized people would still pay for services even if ads where part of that service. In some old newsroom storage closet, William Randolph Hearst’s portrait smiled. So began the two-faced deceit of IT security.
We don’t care. We don’t HAVE to. We’re the phone company.
All of this is just a long-winded intro to say this: No corporate entity ever has your best interests in mind when making decisions. Only profit. Or reduction of loss. When paramilitary police forces decide to dox you, the ’safe, secure, encrypted’ services you use from publicly traded for-profits mean absolutely nothing. They have your data. They will give it over to the cops. It’s the most financially beneficial stance (on paper), and that’s the only stance they will ever take.
So what is there to do? Break out paper cups and semaphore flags? How can you go to a protest and keep your digital life from becoming Exhibits A-Q should a stormtrooper decide you look enough like his ex or his abusive dad or just that kid he beat up in high school so it’s your day to get zip-tied and paddy-waggoned? Not all is bleak, nor do you have to pull a Full Amish when you head down to the future kettle where the first amendment is “protected” until it’s not. You can do quite a bit to harden your personal security - which in turn makes those around you more secure. It’s work, but what isn’t these days? Work, I guess.
Leave your phone at home
This is one of those pieces of advice that often gets eye-rolled by activists and organizers. But before you dismiss it, hear me out. I’m not saying ‘don’t take a phone.’ I’m saying leave the phone you use as your primary device at home. It is very easy and very cheap to pick up a second phone for recording - one of the most important functions of a phone at any protest - and communication. You can use an anonymous pre-paid carrier phone for emergencies, an old phone you’ve wiped, or grab a cheap used unlocked phone off of any number of marketplaces. Considering the despicable desposability cycle of modern phones, you can probably find a few free ones with some calls to friends and family. A few things to keep in mind:
Fully factory reset any phone you receive or purchase. If possible, do this offline using tools from the manufacturer.
If an alternative, hardened OS such as GrapheneOS is available for your device, consider using that instead of stock Android or the manufacturer’s bloatware.
Try to find a phone that uses a physical SIM card. eSIMs are convenient, but are tied to the device and usually tied to the sales records of the device. A physical SIM lets you swap to another carrier or a prepaid number with ease.
Keep apps to the bare minimum. When possible, use app stores that do not tie to an account. F-Droid is a good option. Obtainium is very popular as well.
DISABLE BIOMETRICS. Apart from being way less secure than they purport, biometrics can be used to illegally compel you to unlock your device. Face scans are NOT legally protected. Fingerprint scans can be obtained through force. Set up a complex PIN or password and don’t fall for the false security of biometric login.
Don’t sync accounts, contact lists, texts, etc. Don’t use e-mail applications. Check e-mail through a private browser session. This is a pain because you have to manually enter security info every single time, but it means that there’s no forensic footprint left on your phone once the session is closed.
If you need to stream or capture to a cloud service, add a second, anonymized account for doing so. You can always re-share from your primary account later, but there’s no reason to link your activities to verifiable identification.
Remove data from your phone when you get home. Back it up on a secure drive and remove it from the device. Again, there’s no reason to provide a free map of your whereabouts for potential prosecutors.
Use a VPN (with manual credentials, not apps). A VPN can help protect you from local scanners, a more and more popular tool for oppressors, as well as provide an extra layer of cover from your carrier snooping on their behalf. Generally, use a VPN from a country with sound data protection laws like the Netherlands if possible.
Utilize wifi hotspots over cellular data when possible. Many areas have free wifi if you look for it. Combined with a VPN, getting your exact activity trail becomes much, much harder.
Only give the phone number for the device (if applicable) to a few people you trust. An army willing to use a 5 year old to draw people out of a house will absolutely put pressure on people close to you. People can’t give up your info if they don’t know it, so keep the list as small as you can.
Use your protest phone for protesting. Keep it on Airplane Mode or turned off. Take it off Airplane Mode AFTER arriving at the protest. Put it in Airplane Mode BEFORE you leave the protest. Cell tower pings can be used to create a very accurate map of your path to and from. Again, don’t give them anything for free.
If you simply cannot use a dedicated phone and cannot leave your phone at home, consider paring down apps, creating a second profile with very little information and using that when you’re at gatherings, using a VPN, disabling ALL AI tools, turning off tracking metrics (such as “send us data to improve your experience while using the app!” settings), signing out of social media accounts, and following the biometric and VPN suggestions above.
Be comfortable being bored
Excepting a secured phone (if necessary), don’t bring any connected devices with you. No iPad. No Switch. No Steam Deck. No ROG Steam Deck But Worse. If you have one of those handheld retro devices from Anbernic or anything with bluetooth, wifi, or mobile data, just leave it at home. Tablets, smart watches, even many MP3 players - anything that can connect with a wireless service of some type can be scanned and identified and linked to you if found on your person after an arrest. If you’re going to a protest, you’re going to protest. Not to scroll feeds or find epic mounts. Being uncomfortable with being bored is no reason to tag yourself like a migratory whale pod.
Don’t give up your entire identity at home
In your day-to-day life, more and more of your online identity is being added to your digital fingerprint. Platforms can predict, with astounding accuracy, what your next website visit will be. They can pick you out of a haystack of haystacks of users in seconds. Every cookie you accept, every permission you grant…they’ll be watching you.
ACAB even means these guys.
Use a VPN on your home network. You don’t need to go so far as to tunnel to another country for your day to day use, but just adding one more layer of obfuscation helps. Obscurity is not security, but it’s better than nothing. Use secure communication when available. Set your browser to always use https, in example. Switch off of known problematic messaging apps like Discord to more secure options like Signal. Don’t use AI processing on anything. In fact, turn off AI everywhere you can. If you’re using Windows, [url-”https://www.howtogeek.com/how-to-rip-out-copilot-from-windows-11/” target=”new”]uninstall and prevent CoPilot from reinstalling [/url](note - this can change on a whim and they are pushing CoPilot hard, so your best bet is to leave Windows or go back to Windows 10 and use a debloating tool). Switch your search engine to a non-AI backed search such as DuckDuck Go’s No AI service. Remove AI tools from your browser if you use Chrome or Chromium based browsers or Firefox. (Note, beginning with Firefox 148, a single kill switch will be introduced under Settings -> AI Controls -> Block AI Enhancements, but it has not rolled out globally at the time of this writing).
Don’t use social media to discuss your activities at protests. You can obviously be loud and proud about your views, but any insight into the inner workings of direct action will be use to subvert it. There is no virtue signalling in protest. There’s no reason to share intel with the enemy during an active war. Save your mementos in a safe, encrypted location. Once everyone swears they were always against all of this, which they will, feel free to make a wall of dissent. But during active operations, no need to identify locations, organization, or the faces of others for internet points.
Keep your systems secure. Self-hosting can be a great way to withdraw from the onslaught of platform rot, but it can also open you up to attacks. Automated attacks are becoming more sophisticated, or in the case of AI based attacks, more frequent to the point of overwhelming systems. Not smarter, just more waves crashing against the beach. Protect yourself by understanding edge security. Make sure your router is not compromised and is up to date on its firmware. Make sure to keep an eye on security bulletins for software you host and quickly update it if a confirmed security hole is disclosed. This is obviously for more technical folks, but anyone can learn how to lock down their home network in a couple of days worth of YouTube videos and old forum posts.
Stop using Spyware as a Service
The Superbowl ad for Ring really shook the tree in terms of the general public’s understanding of just how perverse and pervasive private spying has become. Convenience has, for at least the last two decades, come at the cost of security. We hand over our details willingly to save a few steps while logging in or to scream into our personal void and have it play back our favorite comfort songs. Ditching digital servants is a minor inconvenience that feels like oppression to so many who are now used to the ease of it all. I promise, it’s really not that hard to pick a playlist by hand. Drop digital assistants from your phone. Doubly so if they’re AI-backed. Get rid of Echos and Smart Speakers and cloud-connected doorbell cameras and app-based light managers and all that BS. You can find replacements that leave all of your data in your personal network for nearly everything. So if you really need the convenience or are in a position where you need these things for accessibility, there are options. Home Assistant is a robust, multi-protocol service which can be locked down, but still control your existing closed-source hardware, in example.
Don’t use sign-in aggregators when you can avoid it. “Sign in with Google” sure feels like a convenient wonder. But what it really is is a single point of access for anyone who is able to get your Google device from you. Like the cops or TSA (cops) or ICE (somehow even more cop cops). Instead, consider an encrypted password manager with a strong master password (not biometric!) and individual site password. Avoid saving the password manager backups on cloud storage and instead, sync them to a folder on your network or an external endpoint you control. Again, passwords are protected by the 4th amendment. Your fingerprint is not.
Stop sharing videos with tracking data. YouTube, TikTok (dear god, stop using this garbage), and many other video hosting sites have a share button that tracks you and then tracks further shares by others who are NOT you. Strip your URLs before sharing them. Use only the required query string data (example - on YouTube, shares usually include an si=(code) element. When you share, remove everything except for the required video ID. When using the fully qualified www.youtube.com, this usually means deleting everything after and including the first ampersand. When using a shortened youtu.be link, this usually means deleting everything after and including the first question mark.
Example:
https://www.youtube.com/watch?v=EOxERcvYE9g&si=XXXXXXXXXXXXXX
or
https://youtu.be/EOxERcvYE9g?si=XXXXXXXXXXXXXX
Become
https://www.youtube.com/watch?v=EOxERcvYE9g
or
https://youtu.be/EOxERcvYE9g
respectively.
Don’t use photo filter apps, AI enhancement apps, or anything that requires personal data to produce some social token. “It’s fun, everyone’s doing it and I want to see mine!” Nobody is going to care about this shit in a week. Remember BitStrip avatars? Garbage, prepackaged flash art that was reassembled after you handed over the keys to your personal profile? Nobody actually liked anyone else’s but their own. Which means nobody actually liked them. You’d give them enough info to fake a MasterCard support call and get the most dated, ugly garbage to hang on your digital sash. Stop.
6 Seasons and an Identity Theft.
The future of capitalism and the future of humanity cannot coexist. We’re living in that tumultuous between-time, when neither side has laid full claim to the next stage of development and both sides are still under the illusion of a false pact. The average person still thinks technology is a service, not a siphon. The average CEO still thinks that there is more wealth to be pumped from a dry populace. One side will crack and separating your affairs now will do nothing but benefit you, regardless of how the whole thing shakes out. Services are built to incubate product. YOU are the product. Your data. Your eyes. Your time. They sell your own atrophied ability back to you in a neatly packaged, completely standardized, wholly unowned-by-you way. Put up as many roadblocks to them getting all of you for nothing as you can.
Some other videos and resources I’ve enjoyed (GDPR protected. Click Play Video to view):
