Conversations with an IT Security Expert
Several years ago, when I had just begun learning about digital privacy, I asked a friend who works in IT security for advice. I took a lot of notes and kept copies of the email exchanges and Signal messages. Below is a summary in bullet points of the information I've found most helpful.
Q: Is it safe to download and use sensitive apps, like your password manager or banking app, on a de-Googled phone? Some apps give warnings about rooted phones being less safe.
Note: At the time of asking this question, I was using /e/OS. I have since switched over to CalyxOS, though my kids still use /e/OS on their devices.
- It is simultaneously less safe and more safe
- APKs provided by Aurora are fetched from Google servers, so apps downloaded from AuroraStore are the same as if downloaded from Google Play1
- A rooted phone opens the door to other types of exploits, but this has nothing to do with Aurora
- No one can guarantee that a privacy OS provider will continue to do what they promised at the outset
- The open source model is therefore a good indication of trustworthiness; transparency in code allows other developers to check whether or not privacy values are still being upheld
- Don't trust any OS provider (like e Foundation) completely; read their documentation; ask questions
- Every new app introduces a potential new security risk; therefore, best practice is to minimise the number of apps installed on your phone
Should I try to de-Google?
- It is possible non-Google apps rely on Google's APIs and therefore transmit information to Google without your knowledge. The OS may be de-Googled, but individual apps can break that model
- Minimise number of apps you install, and do your research
- The long term solution is stronger regulations for privacy, as has begun in EU; governments need to hold companies in breach of privacy laws to account; some progress has been made, but we have a long way to go
- From the perspective of someone who has worked in software: a lot of the barriers to putting privacy law into practice stem from legacy applications, data stores, and the links between them2
- Apple seems to have taken a stand on privacy and is investing more
- Google is making first steps in giving users some controls over their own data, but has a long way to go
- If governments come down harder on companies, then these companies will spend more money on ensuring security. Credit card industry and anti-fraud regulation is an example of this; companies that don't meet regulations are heavily fined
What other advice can you give?
- Avoid doing everything under one identity, or on one device
- While not a guarantee for privacy, dividing online activities over different identities and devices is a step in the right direction; it reduces your complete footprint
- Note that this approach is very inconvenient in a world where we are constantly encouraged to tie everything to one identity
- In short: this approach takes work and attention; not recommended for all, but it is something I do and spend time on
- Reach out to your government representatives; push them to regulate companies with policy and fine them when they don't comply
- Don't trust apps you install; no app is completely safe, and there are vulnerabilities in every operating system
- Make sure the apps you use stay up-to-date
- Don't put your eggs in one basket regarding privacy and identity; be flexible when the environment changes
I recently bought a PinePhone. What are your thoughts on Linux-based environments?
- It can be hard to work around incompatibilities with mainstream operating systems (MacOS, Windows) in the professional environment
- Running games or other specialised software on Linux can be a frustrating experience, almost not worth it
- Having said that, I would love to work in a Linux-only environment
- There is the disadvantage of unsupported operating systems, such as older Linux OSes
- Larger companies are sometimes faster at addressing security issues because they are so widespread and constantly under attack
- This is why I use Pixel phones—they get the latest security updates first—in combination with an app that scans for new exploits/malware in the Google Play Store
- Conundrum: pay more for more support, or support FOSS and hope vulnerabilities are addressed quickly
- Some FOSS communities have a very fast response time to vulnerabilities
Conclusions
There was a lot there! The problem is that this conversation took place around 2020, and IT is a quickly changing landscape. I decided to keep this post in, because it aligns with the purpose of my blog: a diary showing the steps I took towards better digital privacy as a regular consumer.
You can do a lot on your own, but having a friend who knows more than you and is willing to take time to answer your questions can give you confidence you've been taking steps in the right direction. Some of the comments above also made me pause and think that perhaps not everything that carries labels like privacy or open source is by definition better.
The main take-away points for me—things I still do today—are:
- try to avoid tying all your online activities to a single identity or device, and,
- accept that sometimes using a mainstream device may provide better security or safety.
Note about summer months
Loyal readers may have noticed a reduction in the rate of my posts recently. I explained to my email subscribers last week that this is partly due to a career change, which I have discovered can take considerable time and energy!
Looking ahead to summer, I'll be doing quite a bit of traveling and spending time with family; posts might therefore be a bit more sporadic. I may try to write a few short glossary posts for beginners (What Is...?), explaining some of the terms used above.
I have very much enjoyed the process of writing I really appreciate the encouraging responses I've received this year. If these posts have been useful to you, I hope you'll stick with me. I plan to return to weekly publication from the beginning of September.
-----Discuss on Reddit-----
Subscribe to my blog via email or RSS feed.
Find me on Mastodon and Twitter.
Back to Blog
This comment was adjusted in a subsequent conversation. My friend looked a /e/Foundation's documentation and found their apps come from cleanapk.org, which pulls from F-Droid. He was not able to find a lot of information about F-Droid but thought it might be an 'APK scraper'. I later learned he was talking about /e/OS's own store app here.↩
I'll be honest: I copied this verbatim and don't know what it means.↩