Feedback / input on my spite model

de0u

SorryImLate (thank you Exodus)

https://discuss.grapheneos.org/d/20641-aurora-store-exodus-trackers/6

SorryImLate

de0u Interesting input on Exodus, thanks, that confirms what I had suspected.

I've been ignoring their permissions valuation because I trust GOS will give me the best available protection there. I also already identified an app that has an ad tracker (as per Exodus) but in-app includes the option to opt out of personalised ads, so it makes sense that not all trackers will be active. That said, they're still helpful for identifying apps that include a long list of social media and ad trackers because I want to avoid such companies on principle.

Mystified3527

SorryImLate

SorryImLate I have an AdGuard VPN subscription but, after reading this awesome article, I've concluded that it's only useful to me if I use an unsecured wifi, or I want to hide my country for some reason i.e. rarely. My ISP uses CGNAT, and I'm pretty sure it's illegal for them to track me, so I have no reason to trust AdGuard over them with regards to my IP address.

Proton mail is not the only thing you can use from proton; their vpn is one of the few reliable (and free!) ones available, with the other mainly recommended one being Mullvad.
I would consider these over AdGuard, especially if you only plan on using it only occasionally, proton's free VPN might work out better for you, and if not, Mullvad is often considered the top paid one.
If you decide to go this route, Mullvad also has a free DNS service: https://mullvad.net/en/help/dns-over-https-and-dns-over-tls available to anybody that also deals with trackers. This is what I use, and it might save you some money.

SorryImLate My apps are downloaded primarily from the sandboxed google play store. For this, I've created a new google account without my phone number, primary email, or payment information. I've opted out of every kind of history and tracking that I could, and deleted the advertising ID in the store.

I'm refusing to download any apps that require purchases via the google store, or apps that require play integrity. In these few cases I'm either using a Web App, or downloading the apps using Obtainium and confirming them with App Verifier.

Some of the setups listed in the first article here: https://discuss.grapheneos.org/d/21487-seprand-articles-and-guides-about-grapheneos-by-the-community
go over ways to minimize the access google has through play store, especially with the owner as app pusher setup.
You can further reduce the access apps have by separating them with profiles, as described in the link above, that way they have far less data available.

SorryImLate The biggest hold up right now to using my new phone is moving away from outlook mail. I've had a Proton account for ages but never got around to setting it up. When I tried to set it up on GOS, I discovered that I can't sync my proton contacts with my android contacts. I really don't want or need 2 contact lists. I've also come to the conclusion that a Proton email would add no value to me because I don't know anyone else using Proton, or anyone encrypting emails for that matter.

Proton does remove trackers from emails, and the emails themselves are stored encrypted on the Proton servers while at rest. I believe Outlook does not do this, and instead only encrypts in transit (please confirm this yourself), and you can send password-protected encrypted email to non-Proton addresses, though you need a secure way to get the password to your recipient, hopefully through signal. In general, Proton seems to be less invasive with email and doesn't monetize your data (they can't access much in the first place) unlike Outlook.
I can't help you with the two contact lists; they just have not bothered me since I don't email all my phone contacts, and I don't message/call all my email contacts.

zzz

SorryImLate
Great writeup, welcome to the land of the free.
You're doing great, don't be discouraged.

About Adguard - be aware of their ties to Russia, which they have taken pains to obscure.
https://discuss.grapheneos.org/d/13591-what-when-quad9-is-down/16

Seconding Mystified3527 that Proton VPN and Mullvad are great options.

About contact lists - what is the value in merging android contacts with proton contacts?
Genuinely curious, as I've never felt the need to do so.
I do notice that a one-time import is possible:
https://proton.me/support/adding-contacts

Best of luck!

SorryImLate

Mystified3527 Thank you very much for the detailed input.

I bought a 2-year Adguard VPN subscription last year (it was on sale and I was definitely mis-sold on what a VPN does). I've cancelled the auto-renewal but figured I would keep using the subscription until it expires. However, if I understand you correctly, it would be better to just write off that money and switch to Proton or Mullvad now, because Adguard's VPN isn't reliable, plus they're not a trustworthy company. Is that accurate?

Thank you for the link to Mullvad's DNS, I'll switch to that immediately.

Thank you for the Seprand link, it's a good article which I would have really appreciated 2 weeks ago :) (How did I miss that?? sigh) Anyway, I did consider using a secondary profile but concluded that it's probably overkill for me for everyday use. I'm not currently using my phone for work, and I'm not very active on social media, so I see no need for a separate "persona". Also, I figure if companies want to do underhanded communication such as using IPC, they could just as well use the LoopBack port like Meta and Yandex did - apparently that also functioned between profiles (I've been lurking on the GOS Discord and read that disturbing detail there.) I might change my mind in the future but for now I'm OK with just keeping my Banking apps in the Private Space. Good tip though.

No question I have to leave Outlook, and if only Proton were available I would make it work. However I've been using Outlook for 13 years now, and before that I had a hotmail account (technically still do), so I still have contact details in there from people I haven't seen in 20 years (yes, I'm old, and a data hoarder). I'm just really used to (and like) having a single contact source that I can use for signal, threema, phone calls, birthday calendar, e-mails, notes on their kids birthdays, etc. You raise an interesting point though, I wouldn't need to fully sync my email and phone contacts, just split my existing contacts into those groups. I should do some homework and see for how many contacts I actually use both.

SorryImLate

zzz Thank you for the encouragement, it's been a really interesting journey so far :)

I had no idea Adguard has Russian roots. I was considering switching to Mullvad eventually, so maybe I should do that sooner than planned.

Regarding contacts, it's partly for convenience, partly simply being comfortable with my current setup, and partly because my day job regularly involves combining multiple data sets and I see no reason to split data that belongs together. (Huh, I hadn't fully realised the last point until I started answering you.)

I'm used to having a single repository with all my contacts information, which I can access for whichever purpose I want, whether that is getting directions to their new address, creating a calendar with their birthdays, calling them, messaging them, e-mailing them, or remembering their kids names (seriously). If I understand correctly, I can't give other apps access to contact information stored by Proton. That means I would need to either split my existing contacts into 2 lists (one with email and birthday info for Proton and the other with phone numbers) or I would need to manually sync a single list. That just sounds annoying and mistake prone. Bleh.

SorryImLate

Mystified3527 Apologies, I realised after I replied to you that my brain had linked your comment on VPN providers with another reply I received

zzz About Adguard - be aware of their ties to Russia, which they have taken pains to obscure.
https://discuss.grapheneos.org/d/13591-what-when-quad9-is-down/16

So I realise that you hadn't actually made any comments regarding AdGuard's trustworthiness, I was just jumping to conclusions because you recommended other providers.

DeletedUser299

SorryImLate regarding Tuta. I disagree, the app on GtapheneOS is excellent.

SorryImLate

DeletedUser299 To be fair, I haven't tested any Tuta apps, I'm just going on what I've read online. I'm interested to hear your experience, thanks.

I guess I'm not convinced that my privacy needs justify a sandboxed environment like Tuta or Proton. Is there any point if no-one I email uses Tuta or Proton, or encrypts emails in any way?

SorryImLate

de0u That is very clear now, thank you so much.

I'm going to go buy myself a physical google play gift card so that I can buy apps on the play store without giving google my personal information. That will only leave Ko-Reader which isn't available in the Google Store.

de0u

SorryImLate I'm going to go buy myself a physical google play gift card so that I can buy apps on the play store without giving google my personal information.

I have never tried using a Google gift card, but lots of people have reported running into restrictions when trying to use them as an anonymity tool.

Mystified3527

SorryImLate

SorryImLate I bought a 2-year Adguard VPN subscription last year (it was on sale and I was definitely mis-sold on what a VPN does). I've cancelled the auto-renewal but figured I would keep using the subscription until it expires. However, if I understand you correctly, it would be better to just write off that money and switch to Proton or Mullvad now, because Adguard's VPN isn't reliable, plus they're not a trustworthy company. Is that accurate?

This I am not 100% sure about, I meant it more as in when the AdGuard subscription expires instead of renewing it, switch to Proton or Mullvad. I would have to do more research on AdGuard to tell you for sure if you should drop the subscription immediately.

If anyone else here has more info on AdGuard, please share it.

vlad

SorryImLate So I realise that you hadn't actually made any comments regarding AdGuard's trustworthiness

closed source privacy-related software originating from totalitarian country: what could go wrong.

SorryImLate

de0u Worth a shot anyway. I'll start with a small amount and see what happens.

SorryImLate

de0u Just an FYI / update on the use of a google play gift card for anonymity.

You are correct that the process doesn't support using a gift card anonymously. I managed to fudge it (kind of) but still had to give more information than I wanted. The gift card is also only usable for one-off purchases, it can't be used for subscriptions.

Here is detailed info on my experience, in case it helps someone else.

My first few attempts at adding the gift card failed, until it was "locked" and I had to provide "additional information". I don't know whether the lock was due to my age being unverified, giving business contact information, using a VPN, or a combination of the 3.

Age Verification:
Google (unsurprisingly) didn't believe my fake birthday of 1/1/2000 combined with no surname, and they had already downgraded my account to a "child" account with limited privileges. Apparently, in my country you have to be 13 or older to use a gift card (no idea why), so I had to verify my age (no, I don't live in the UK). The frustrating thing here is that at no point while trying to register the gift card did I get informed that my unverified age was an issue, I only discovered this after the gift card was locked.

In order to verify my age, my options were to upload an ID, upload a credit card, or use the PrivacyID webservice. I opted for the 3rd of those, which involves taking a selfie.

Contact information:
Google insisted on having an address and phone number before approving the gift card. I entered the address and phone number of our national Data Protection and Information Commissioner.

Perfect Hindsight:
1) Google now knows who my ISP is - switching off my VPN was my first move when registering the gift card failed.

Lesson learned: Do this while connected to a public wifi somewhere far from home (but still in the country your google account is registered for).

2) I updated my fake birthday to something closer to my real birthday when I read that they would be using a selfie to check my age. Afterwards, I read that Privacy ID claims that they simply advise whether or not you are age 18 or older, so this was probably unnecessary.

Lesson learned: Use a less obvious fake birthday than 1/1/2000 but otherwise, it should be fine as long as it determines an age above 18.

3) Google might have a photo of me - Privacy ID swears blindly the photo stays local but, again, who knows. The risk is higher here than was necessary because I had already downloaded and used chrome to verify my age on my main profile before you suggested switching off JIT in Vanadium. The JIT tip worked for my private space though, so thanks.

Lesson learned: Use Vanadium with JIT disabled for privacyid.com

4) Google now knows the municipality I live in. In order to unlock the gift card, I had to provide a copy of the purchase receipt, which showed the purchase location, which is very near my house.

Lesson learned: Buy the gift card in a shop far from your actual house.

Idea: Use a shop and public wifi that are both close to the business contact information that you provide, so that everything is nice and consistent.

Reading the above makes me feel rather stupid. Clearly, OpSec is not my strength. However, if it helps someone else who genuinely needs to be anonymous, it was worth it ;)

SorryImLate

vlad

vlad closed source privacy-related software originating from totalitarian country: what could go wrong.

Good point, well made. I'll switch.

de0u

SorryImLate

Thanks for the report!

Opsec is hard. People who professionally conceal themselves (e.g., spies) train for a long time and still make mistakes.

Some people who get into privacy-as-a-lifestyle end up in a vicious cycle of learning more about how people are tracked, then upping their behavioral restrictions, then learning more... and feeling that even though they are putting in more and more effort (and making their friends and family more and more nervous) they're always falling behind.

I think my personal use of GrapheneOS is fairly successful in part because my goals are modest (mostly I don't want to share my calendar and my contact list and my communication patterns with Google). And I realize that I am ok with limitations that many people would find shocking (no Play Store, no Android Auto -- what kind of smartphone is that???). But personally I think it's a good sign that I'm not on a "slippery slope" of spending more and more energy on privacy while feeling worse and worse about myself. If I found myself there I would try to figure out how to take a deep breath and evaluate all of the costs and all of the benefits of my current position versus what seemed like the plausible next positions.