Disinformation Part 2
23 May 2022 | 2:12 pm

If you haven't read my last post you probably should. As the title suggests, I'm going to build heavily from it. In that post, I primarily wrote about “disinformation” – how to define it, when to use it, etc. But for many, knowing what to use can be an agonizingly difficult and confusing decision. In this post, I'll share my strategies for developing effective disinformation and hopefully give you a framework on how to do so yourself.

Identifying What You Need

The best place to start is by identifying your needs. This comes in two forms: the actual information (addresses, phone numbers, etc) and the context. By “context” I mean the kind of information you need. Does the address need to be local to confirm a story, or can it just be any random address? Does the name have to be one you'll use a lot or never again?

For example, in a prior blog post, I mentioned the idea of not using your real name when dating. But in this context, your fake name is one you'll have to reuse frequently. You'll need to respond to it when people call you from across the room, or you'll eventually have to explain that it's not your real name. There's numerous ways to handle this – some of which I discussed in that post – but ultimately you'll have to think in advance about it so you know the drawbacks and how to handle them.

Consider another scenario, one I've actually encountered many times: online ordering. I'm pretty vocal about my privacy.com usage. Privacy.com is a service that offers you digital debit cards where you can put in any billing information you want, allowing you to be John Doe at 123 Main Street, Smalltown USA. The problem, I quickly discovered, is that there are three parties involved in an online transaction: you, the bank (in this case, Privacy.com), and the vendor. While Privacy.com doesn't really care what information you put in the billing form, the vendor probably does. “John Doe at 123 Main Street” raises more red flags than a Chinese Communist Party rally on most vendor anti-fraud systems. I soon found that it was much, much easier to pick a generic sounding name – like Nathan Bartram – and an actual street address. This almost never flags the anti-fraud systems anymore.

Finally, you'll need to identify what information you actually need. This is based on your lifestyle and threat model. Perhaps you only ever buy physical goods online and never really buy software or other non-tangible services. In this case, you don't need to bother coming up with a fake address because you'll always need goods delivered to your actual address (PO Box or otherwise). Or perhaps you tell people that you’re from a certain part of town, so you’ll need an address in that town as a billing address to confirm your story and hide your real address.

Ultimately it’s important to think about what kinds of disinformation you’ll need and what the context for it will be. Once you’ve figured that out, it’s time to prepare.

Preparing Your Story

If you’re not prepared in advance with disinformation, you’ll probably end up folding every time and handing over real information. It’s just human nature. Therefore it’s important to pick your cover stories now. First off, you probably won’t remember your fake information – at least not at first. So when you’re digging through your notes app looking for it, you’ll feel compelled to explain why you don’t know your phone number or address.

Let me pause right here and deliver some wonderful news: most people don’t care. If you say “hold on, let me find it” and start scrolling your phone, most people will accept that and leave it at that. I’m willing to bet that for most readers, most of the people you interact with in day-to-day life (that you’ll be giving disinformation to) are underpaid and overworked employees. They don’t get paid enough to wonder why you can’t remember your information, and frankly they’ll probably forget about you about ten seconds after you walk out of sight. A lot of people get social anxiety over the idea that if they do anything “unusual” that people will somehow be suspicious of you. Let me reassure you: nobody cares. Everyone has their own lives, their own problems, their own boss constantly reminding them to do inventory after the registers slow down or their own fight with the significant other at home. Trust me, you are the last thing on their minds. Even if they did find you suspicious, what are they going to do? Refuse to sell you that coffee? Call the cops on you for not having your phone number memorized?

All you need to say when looking up your information is “one second, let me find it.” This lets them know you’re looking for the information they’ve asked for and you’re not just ignoring them and reading your text messages. If you feel compelled to say anything to explain, then just say “I just moved and I haven’t memorized the new address yet” or “I got a new phone and I can’t remember the number.” Again, however, this is almost never an issue.

With that handled, let’s turn to actually finding the information. Names and addresses are the easiest, so I recommend starting there. For names, I prefer to use Behind the Name’s Random Name Generator because you can narrow it down by sex (including “ambiguous”), how many names you need (first only or first and middle or more), and even ethnicity. Generate several options until you find one that sounds generic that you’re okay using.

For addresses, my preferred method is to use a local hotel. They already get tons of junk mail and they are a real, valid address so you’ll encounter less resistance from places that actually verify the address. If I need something sent to me, I use my PO Box.

Email addresses are a little tricky, but not much. For starters, I strongly encourage the use of an email forwarding service. If you pay for a premium subscription with either of the two I recommend and link a custom domain to them, you’ll be able to make up “wildcard” or “on-the-fly” addresses. So for example, I could make up “petstore@mydomain.com” at the register for my e-receipt and as soon as the store emails me the receipt, the forwarding service will automatically create it and forward the email to my inbox – no work needed on my end. If you’re unable to afford one of these services, you could try generating a few “junk” email addresses and writing them down in advance to hand out if you need to on the fly. Truthfully I’m rarely in a position where I must give someone a fake email address, but it never hurts to be prepared if you think it may happen.

Phone numbers get kind of tricky. If you just need to give them any kind of number, there’s lots of options. There’s the classic “867-5309” (this is from a hit 80’s pop song, in case you’re unaware), you can find an automated phone number online – something like a tech support number that leads to a phone tree, you can use Michael Bazzell’s “619-364-0090” through “0099,” and there’s tons of prank or false numbers online. My personal favorite is “248-434-5508.” Call it if you can. If you live in other countries, just do some research online. You’ll find tons of options. But what if it’s a number where you do need someone to reach you? Voice-over-IP is going to be your best bet by a wide margin, but again options are relatively limited if you live outside the US or other certain areas. There’s also the fact that most of these services don’t work if you need to verify a phone number for an account, like Twitter for example. In this case, your simplest bet is a second SIM card you only use for this purpose. There’s actually a few options here, but that’s going to be the most direct and simple. I could write an entire blog post about phone numbers alone, but if you ask around on some forums and do your research you should come up with some options that work for you.

Finally, you may be in a situation in which you need to invent a “backstory.” I’ve been known to frequent hobby-based meetup groups in the past – the kind where you find the posting online to get together to do nerd trivia with a bunch of strangers in a bar, stuff like that. This means I don’t know if the person next to me is my new best friend or secretly plotting to wear my skin and stash my body under their crawlspace. I’ve discussed in other blogs – namely the dating one I linked earlier – the idea of being vague when you disclose information. I tell people all the time that I work in audio-video, but not the company. I tell people I grew up in another state, but I don’t always say the city. If your threat model is high enough, you may wish to lie entirely and say you grew up in a state you never did or a city you never did. My only advice here is to make sure it’s a place you’re at least somewhat familiar with. I have visited Seattle, but I haven’t spent enough time there to be familiar with it. I would have a hard time saying I grew up there because I don’t know it well enough. If I ever met anyone else from Seattle, they’d be able to poke holes in my story instantly. On the other hand, I’ve visited San Diego multiple times for various reasons, and I could reasonably say I grew up in that area and be able to pass it off.

Conclusion

It’s pretty common to see people struggle with disinformation: how to come up with it, when to use it, etc. I hope this blog post has been helpful and given you a starting point, presented the right questions to ask yourself so you know what you need, the pitfalls to watch out for, and given you some ideas on where to go to find information to use. Now get out there and start protecting your privacy on a new level.

You can find more recommended services and programs at TheNewOil.org. You can also get daily privacy news updates at @thenewoil@freeradical.zone or support my work in a variety of ways here.


Disinformation, Part 1
7 May 2022 | 6:06 pm

Let's do this.

Since I started blogging in 2018 (or somewhere thereabouts) I've promised to write a blog about disinformation. I keep saying “eventually” and “someday” and “in time.” Well that time is now.

You need to start lying. Or at least telling half-truths. And I'm here to give you some pointers on how to do it in a smart, sustainable, and ethical way. In this post, I'm going to give you everything you need to know about disinformation, when to use it, how to use it, why to use it, and more. So let's get into it.

What is Disinformation (and Why Should You Use It)?

Disinformation is the act of intentionally lying to mislead someone. Generally speaking, this is not good. You shouldn't lie to your spouse, your boss, or the general public ([insert snide political opinion here]). But in the context of privacy, disinformation is not only ethical (I would argue) but it's often our only choice. Surveillance capitalism thrives on knowing your true identity – on being able to link every single step, click, view, like, and comment back to the source so they can improve their profiles about you and sell you more stuff. Sometimes “more stuff” means another pair of shoes or a new band. Sometimes it means a political ideology.

At very least, a pretty non-controversial definition of privacy is “the ability to control the flow of information.” Some people may prefer a more hardcore definition, but most people can agree that at a bare minimum privacy means having choice over what you disclose and to whom. This is why I find disinformation to be ethical: many companies and corporations do not give us meaningful consent. There's this idea that “if you don't like a product/service, just don't use it.” Ignoring the fact that they track you anyways, this doesn't account for things like signing up for financial aid for college and being tracked or the DMV selling your data. If you live in a town with poor public transit (which is most American towns), that basically means you have to pick between privacy or wasting hours of your life each week getting places that would otherwise take a fraction of the time. When your hands are so aggressively tied by the people above you and the “choices” given to you more closely resemble illusions and punishments, disinformation becomes the only ethical response.

Image

All things being equal, it's always better to not hand out a piece of information. But sometimes that’s not an option. Most online retailers won’t let you finish the purchase until you provide a phone number (even though they literally always email you rather than call you). You have to give a name at Starbuck’s (I guess you could try fighting this one, I never have but I assume they wouldn’t appreciate you coming back). You can’t always just not give out information. But not everyone deserves your true information.

The fact is that once you give out a piece of information, you’ve effectively lost control of it. Really think about that. Every single thing you share – even just venting to your closest friend – is a piece of information you lose control over. You have no say in who they share that information with, where they post it, or what they do with it. You’re trusting them to lock it up inside their head and never share it, but you can’t force them. Even if you’re able to pursue some sort of recourse – like suing them or exiling them from your life – you can’t undo the disclosure.

This goes a thousandfold for companies, who basically treat everything you tell them like it’s public record with their poor security and data handling practices. Once you disclose something, you can’t take it back, especially once a company has leaked your data and now it’s all over the internet. Therefore it’s important to decide up front if someone needs that information in the first place.

Order of Operations

Perhaps a template for decision-making is in order here before we move on so we know what constitutes a “need” and a legitimate interest.

First off, I never encourage doing anything illegal. Don’t give the cops a fake ID. Don’t put a fake name on your taxes. Don’t ever lie to the government. This extends to directly-related situations. For example, your boss has to file taxes so you need to give them a real name or else they’ll end up reporting bad information to the government who will then come after you for fraud.

Next, let’s talk about “people with a legitimate interest.” The most salient example here is your doctor. Your age is an important factor in many medical situations, so maybe don’t give the doctor a fake birthday. Do they really need the exact date of birth? Probably not, but also don’t lie to people trying to help you. I would terminate a consulting relationship with a client who was repeatedly lying to me. I’m not here to judge you, I’m here to help you, and if you won’t work with me you’re wasting both of our times. Same with doctors. If you don’t trust your doctor, request a new one.

Sometimes “legitimate interest” can be examined on a “piece by piece” basis. My employer has a legitimate interest in knowing my real name, social security number, and date of birth to verify tax records and identity comply with laws. My employer has no legitimate reason to know where I lay my head at my night, what I do on the weekends, or anything else about my personal life, really. Hence I have a strict policy about only giving employers a PO Box and VoIP phone number, never my true home address or SIM number.

Image

In my opinion, most “legitimate interest” needs for our real data are rare and relatively obvious. In most of our day-to-day lives, there is no “legitimate interest” for any data at all. A famous joke by comedian Mitch Hedberg states: “I bought a doughnut and they gave me a receipt for the doughnut; I don't need a receipt for the doughnut. I'll just give you the money, and you give me the doughnut, end of transaction. We don't need to bring ink and paper into this. I just can't imagine a scenario where I would have to prove that I bought a doughnut.” Truthfully this is how I feel about 99% of the transactions I participate in on daily basis. Getting a soda at the corner store: “do you have a phone number for the rewards program?” No. Here’s $2 in cash, give me a soda. “Would you like to add a photo to your online profile?” You mean the one to order a new microphone at work? How about no. Here’s the company card, the company address, and the company name. Send me a microphone. The other day I called the Department of Motor Vehicles and the automated phone tree asked me for a date of birth. Why? Are you going to hang up on me and refuse to answer my questions if I’m too young to drive?

Determining a legitimate need is really that simple: just ask “why”? When in doubt, ask the person making the request. I once went to a restaurant and there was a wait, so the server as for my phone number. All I said was “why?” She replied “we can text you when you’re table’s ready.” I claimed I left my phone at home and asked her to just call my name instead, and she wrote down my first name. Sometimes I ask why and get met with a legitimate answer: “the cable guy will call you when he arrives.” Fair enough. My home can be hard to find, he might need some help finding it. But most of the time, there’s no good reason to hand out data.

Pause

Perhaps this is a good place to stop this week. I like to keep my blog posts to around 1000 words, and we’ve passed that mark already with so much still to discuss. We’ve established, I think, a good foundation for what disinformation is, why we need it, and when to use it. Next time we’ll cover some examples of disinformation and how to come up with good, plausible disinformation. Until then, stay safe out there!

You can find more recommended services and programs at TheNewOil.org. You can also get daily privacy news updates at @thenewoil@freeradical.zone or support my work in a variety of ways here.


CTemplar is Dead (AKA Lessons About Email Sovereignty)
30 April 2022 | 2:06 pm

Image

Icelandic encrypted email provider CTemplar went under this week. I could list dozens of reasons this comes as no surprise to me – and another dozen ways this was poorly handled – but that’s neither here nor there. There’s no reason to kick somebody while they’re down. Instead let’s focus what we can learn from this, because there’s two important lessons.

Lesson 1: Beware the Little Guys

In the privacy space, we are very skeptical of new services, and rightfully so. There’s a lot at play here. First there’s the fact that the privacy space is rife with scams, both direct and indirect. Direct scams would be the ten thousand new “shitcoins” that pop up each day who’s only purpose is to make someone rich in a pump-and-dump scheme – or an actual, outright honeypot service like Anom. An indirect scam would be services that lull you into a false sense of security with buzzwords like “encrypted” and “private” when what they really mean is “for now” or “moreso than the other guy” (if they even mean that much).

Assuming that a new project is honest and well meaning, they can still easily make mistakes with poor implementation, poor wording, or bugs. Security and privacy are both important – and incredibly easy to screw up, sometimes badly.

Last but not least, even the honest services face the same uphill battle you’ll find in literally any market: it’s hard to compete with the name brands – Proton, Tutanota, DuckDuckGo, Mullvad, etc. These are brands who have proven themselves (whether you like them or not) time and time again. You’re new. You’re nobody. Why should anyone believe you? What do you offer that they don’t? What do you do differently and/or better? What challenges will I have to overcome to benefit from your product (such as the Network Effect)?

That said, there’s nothing wrong with supporting the new guys. I think you should, actually. I was a new guy once. I still am, in a lot of ways. Tutanota was once the new guy. Signal. Tor. Your favorite privacy or security service or tool was once new and untested. It’s good to research a product and then decide “I like this, this is good, I want to support this.” But you need to remember that we have no idea what’s going on behind the scenes. Depending on the available research and your skill level, you may not know if the product’s implementation is secure. We may not know their financial situation. We may not know if some drug kingpin is using the service and they’ll be served with some kind of legal order that forces them to fold. There’s a million things that could happen, and we just don’t know. I don’t think this counts as a reason to stay away – if you never support the projects you like, they’ll die for certain. But even if you do support them, they might die anyways through no fault of yours. So always keep backups, always keep redundancies, and always be prepared to wake up one day and find out your emails won’t send. This leads us to an even more important and easier-to-practice point.

Lesson 2: Control Your Data

Image

Frequently when we talk about “controlling your data,” we think of things like self-hosting, reducing data transmission (via tools like firewalls, DNS, or uBlock Origin), or not using a service altogether. But sometimes it’s a bit more complex than that. This is actually a subject I’ve been wanting to discuss for quite some time. Sometimes “controlling your data” can mean controlling how it gets handled, or where it goes.

Let’s look at this through the lens of email and CTemplar. Most of my long-time readers know that I recommend the use of an email masking service like SimpleLogin or AnonAddy. There’s numerous practical reasons for this which I outline on that page, but one that I haven’t discussed in depth (and should probably add) is the ability to quickly and easily redirect your emails in a situation exactly like this one. Right now, a lot of CTemplar users are scrambling to get all their accounts moved over to a new provider. While SimpleLogin & AnonAddy don’t make this a one-click process, they do make it easier than logging into a billion websites and manually changing and verifying everything. It can all be done from one simple dashboard in just a few minutes, no verification required.

There’s another layer of protection here I strongly recommend: custom domains. The default email addresses provided by SimpleLogin and AnonAddy are fine for the small stuff, they present two issues. First, a lot of companies don’t typically like these kinds of services, so it’s usually only a matter of time before they start getting blocklisted. These two services are attempting to circumvent that by constantly adding new domains, but they can only do so much. It’s a constant cat-and-mouse. Second, what happens if one of these services go under? It’s happened before, and it can happen again. In fact, that’s why we’re talking about this right now: a company went under and now the users have to find something else. With a custom domain, if your email-forwarding solution of choice ever goes out of business, you just point the records at a new provider, whether that’s another forwarding service or an email provider directly.

A quick note: I know setting up a custom domain sounds hard, but it’s REALLY not. You buy a domain name you like from a website (common privacy recommendations include 1984, NameCheap, Orange, and PorkBun), then you go check the help page on your email forwarding service of choice for instructions on how to add your custom domain. More often than not, they have very simple, straightforward instructions and sometimes even have screenshots. Same if you decide to cut out the forwarding service and use an email provider directly.

Having your own domain is the ultimate power in controlling your email data (except for self-hosting, but I don’t recommend that for a lot of reasons). Unless the domain registrar disappears or blocks you (which, in my experience, is highly unlikely) then it doesn’t matter who goes out of business. You can always just point your emails somewhere new and keep going with almost no disruption.

Controlling your data is important and powerful. It makes you independent, it makes you resilient, and it makes your life simpler by being prepared for when things change – and in tech, things are always changing. Part of threat modeling is planning for what could go wrong and then putting systems in place to mitigate it if it happens. Maybe you weren’t affected by this CTemplar situation. That doesn’t mean you won’t be affected by the next one. Be sure to review the products and services you use and plan ahead. There’s always room to improve. Take this time to learn some lessons and apply the necessary changes to your own posture.

You can find more recommended services and programs at TheNewOil.org. You can also get daily privacy news updates at @thenewoil@freeradical.zone or support my work in a variety of ways here.



More News from this Feed See Full Web Site