Privacy Threat Modeling Step 3: Threat Mitigation [Work in Progress]
Added 2022-07-20 15:34:01 +0000 UTCMitigation Strategies & Privacy Enhancing Techniques
Consistency is essential to mitigating privacy threats. A countermeasure should be deployed against a concrete threat in a given context. But how do you know which countermeasures to choose and when to replace them with better ones?
Instead of just getting a list of tools it is more consistent to think about your privacy as a set of strategies to implement.
LINDDUN has developed a comprehensive set of mitigation strategies that we can adapt to fit our user perspective.
We can have a look at this table and go one by one to learn new strategies and deploy relevant privacy enhancing techniques.
Using LINDDUN, we want to maintain strong privacy with four mitigation strategies:
- Protect your identity
- Protect data
- Guard exposure
- Maximize accuracy
Protect ID
Identifiability and linkability lead to the most severe privacy violations. So we want to take care of these threats first.
Use anonymous one-time credentials wherever possible. Do not re-use the same username and password combination for more than one service. Manage your identities with a secure password manager such as KeepassXC or Bitwarden.
Find out if you are legally allowed to give false information to a service. Often times, you can get away with it (this is not a legal advice).
Get an anonymous email service from an encrypted provider such as Tutanota or ProtonMail. Use this account to sign up for an email alias service such as SimpleLogin and generate new aliases for every use of a new service. Alternatively, you can pay for more email aliases at these providers too.
Services that don’t allow you to dissociate their use from your identity should be treated as violating. This is usually gonna be social media apps and banks. If you use their mobile apps, put them in a separate user profile where you only keep apps that need your identity. This compartmentalization is one way you can keep these apps from tracking you outside of the user profile they’re in. This is the biggest benefit of using an Android phone or GrapheneOS where you can create up to 15 different profiles.
Protect transactional data
Confidentiality of your content is essential. Services that don’t encrypt your messages end-to-end should be treated as untrusted. Do not share sensitive content on these apps if you have to use them.
The best option is to find alternatives with stricter encryption implementation. These are Signal and Briar. Keep in mind that your messages are gonna be stored on your devices. Always download apps from official repositories such as Google Play Store or App Store. Only use an up-to-date system that gets regular security updates and maintains full security model of the device. The most secure phones are Pixel phones from Google and iPhones from Apple. Pixel phones allow you to mitigate linkability, identifiability and detectability threats introduced by Google and Apple into their phones by installing GrapheneOS and removing Google services from your phone completely.
Protect contextual data
Context is just as sensitive as content. Anonymize your traffic with Tor either system-wide or for specific sensitive apps. You can use Orbot to anonymize your messaging apps and use Tor Browser to anonymize browsing and search traffic. Your IP address will lead to an approximate location and is unique enough to identify you. Obfuscate your IP address with a VPN service or anonymize it with Tor.
Some apps that offer end-to-end encryption of content often do nothing to protect your metadata. Services like iMessage from Apple and WhatsApp from Facebook are examples of privacy invasive metadata policies that pose significant linkability, identifiability, non-repudiation and detectability threats.
Use a messenger that implements a version of the Off-the-record protocol or sealed sender. This is Signal or Briar. Briar’s metadata protection is significantly stronger than Signal’s since it requires no identifiable usernames or phone numbers and by default anonymizes metadata via the Tor network.
Awareness
For every system in your data inventory, go through the settings and find anything related to privacy and security. Check for any privacy controls and feedback tools you can take advantage of to be aware of what can and can’t be controlled.
Compliance
Take advantage of the privacy controls presented to you. Don’t just dismiss the pop-up windows with a quick “I agree” toggle. Reject cookies and trackers at every opportunity. Force services to respect your consent by routing your traffic through VPN servers in the European Union where privacy legislation is stricter than elsewhere. Don’t underestimate this step. Hardening your privacy settings will legally bound companies to protect your data. If they violate your consent, you could at least have legal grounds to get them to compensate you for damages. (This is not a legal advice.)
Confidentiality
Whatever data ends up in a data base will be exposed in a breach sooner or later. Either that a lucrative deal will find its way to it with enough money. Encrypt all the data you sent to the cloud with the key only you own and the strongest encryption protocol available. This means avoid iCloud, DropBox or Google Drive and use an end-to-end encrypted storage such as ProtonDrive or use Cryptomator to set up encrypted vaults only you will have access to.
Preferably, avoid cloud backups all together and make an encrypted SD card on which to store all your important files. If you set up a hidden volume, you could also gain plausible deniability if repudiation at data store is your need. I have a dedicated tutorial explaining how to create an encrypted offline backup.
Data store isn’t just what’s in the cloud but also what’s on your devices. Make sure they are all encrypted with a strong passphrase. Pick a device with the strongest Hardware Security Module, such as a Pixel phone with the Titan M chip. These chips were forced to make all known attacks on your device secrets unfeasible. Your phone is likely gonna have more secure encryption than your laptop so take advantage of that.
Harden access controls on your devices. This means revoking and limiting permissions that grant invasive access to your sensitive files and data. Sensitive information isn’t just your location, camera or microphone. It’s also your contacts, files and media, calendar, messages and sensors. Go to the privacy manager of your phone, review these permissions and revoke access that is not necessary. GrapheneOS hardens privacy and security settings further than any other phone available.
Minimization
Use apps that don’t need to collect your data to monetize their service. Much of machine learning that improves user experience can be done on device with federated learning. Minimize how much data you share with services and make sure they collect and store as little as possible about you. Misinform where possible.
Sensitive location information can be revealed through more vectors than just location services. Radio triangulation is a cheap practice that correlates cellular connections to your location. This can be mitigated with an airplane mode. Bluetooth and WiFi scanning is often running in the background by default. This needs to disabled manually and only GrapheneOS keeps it off by default.
Maximize accuracy
Request a copy of your data from all of the service providers on regular basis so that you know exactly what info they collect. Review how much data they have on your file and request full deletion. There is usually gonna be a process for this at most major services.
There is a list of people lookup services that will harvest your private information for sale. Contact these services one by one with a request to remove all of your data in their files.
Send these requests routinely every few months or years depending on the amount of data they collect. Take advantage of relevant privacy legislation in your area. Even the biggest surveillance states are gonna have some privacy rules.