Main Idea: How to use technology to resist data collection, profiling, and other unsavory and unwanted digital actions by corporations.

What is technical resistance?

Broadly, technical resistance is the careful and purposeful use of technology to protect your data and privacy online and can be used to take a stand against today’s ubiquitous data and privacy abuses in the digital world. There are a variety of different places you can focus your attention when it comes to engaging in technical resistance, some very simple and some more complex. In this chapter, we will be focusing on:

1. Privacy Settings
2. Browsers and Services
3. Obfuscation

It is important to remember that, though unfettered advances in technology have exacerbated privacy issues through data mining, profiling, surveillance, and even the creation of biased AI systems, with careful use, technology can also be harnessed for protection. Furthermore, in today’s digital age, it is impossible to completely avoid technology and still survive in our society. We rely on our phones and our computers for everything from education, to work, to accessing social services. We may not be able to sever our ties with tech, but we can become smarter about how we interact with these everyday systems and make choices that protect our privacy and, ultimately, the privacy of others.

Why is it important?

As you’ve learned throughout this course, privacy, though often ill-defined, is an essential human right. Appropriate privacy protections support free speech, voting rights, democracy, personal choice, and ultimately, the good of society. Government surveillance can have a chilling effect on our free speech, our willingness to associate with others, and our willingness to voice dissent in our government or other political opinions (“’I’ve Got Nothing to Hide’ and other Misunderstandings of Privacy”).

We must also remain aware of the concept of information asymmetry. We, the common people, are never entirely aware of what data is being collected about us and what the “big players,” governments and corporations, are doing with it. Previous U.S. Secretary of State Donald Rumsfield spoke of the concept of “known knowns,” “known unknowns” and “unknown unknowns.” This was later developed into the so-called “Rumsfield Matrix,” a decision-making matrix that maps degrees of certainty and uncertainty. The Uncertainty Project defines the four quadrants as follows:

1. Known knowns: These are facts or variables that we’re aware of and understand. They form the basis of our knowledge and provide a solid foundation for decision making.
2. Known unknowns: These are factors we know exist, but don’t fully understand. They represent gaps in our knowledge that we must address through research, investigation, or consultation with experts.
3. Unknown knowns: These are elements that we don’t realize we know. They’re typically buried in our subconscious, overlooked, or dismissed as irrelevant. Uncovering these insights can lead to surprising breakthroughs in decision making.
4. Unknown unknowns: These are factors that we’re not aware of and can’t predict. They represent the most significant source of uncertainty and risk, as they can catch us off guard and derail our plans.

In the context of digital privacy and information asymmetry, the “unknown unknowns” encompass the data we are not aware is being collected about us, being put to uses that we do not know. In Obfuscation: A User’s Guide for Privacy and Protest, authors Brunton and Nissenbaum give the example of a surveillance camera. “We know we are being recorded. We know that we don’t know whether the recording is being transmitted only on the site or whether it is being streamed over the internet…we know that we don’t know how long the recording will be stored, or who is authorized to view it…there is a much larger category of unknown unknowns about something as seemingly simple as a CCTV recording. We don’t know if the footage can be run through facial recognition…software…or if the time code can be correlated with a credit card purchase…unless we are personally involved with privacy activism or security, we don’t even know that we don’t know that”, (Brunton and Nissenbaum, emphasis mine). For someone not aware of surveillance technology, they may not even know that things such as facial recognition are a possibility; that is a potential unknown unknown to them.

The more unknown unknowns, the less power we have, the stronger the information asymmetry. As it is, even if we try to learn all we can about surveillance technology, we still will not know exactly what our data is being used for. Because we do not have the power of the government or large corporations, we are always going to be on the losing side of this information asymmetry. For these reasons and many more, our privacy is important, and resistance to the erosion of that privacy is necessary.

Is it resistance?

Changing your online behavior, even the products you use, might seem like an exceedingly small move. It is unlikely, after all, that Google is going to care if one person restricts cookies and trackers, or even stops using their products all together. Aside from protecting some of your online data, from slightly limiting the stream that gets sent to the Big Data corporations, is it even worth it? Can this small form of resistance do anything?

Think of it this way: one person doing these things may not make a dent on big corporations’ profits…but if a lot of people start doing it, they’re sure to notice. If a lot of us start showing our discontent with current privacy practices by switching settings, changing products, and encouraging our friends and family to do the same, we have the power to work in a collective movement and spark a change.

Privacy settings

As you begin to get more privacy-minded, one of the first things you should do is check your privacy settings. Everything from your browser to your email to the websites you use should have some sort of privacy settings. By default, these settings are usually not tuned to your favor, but there are choices you can make to have your data be a bit safer.

Browser Settings

To begin with, you can look at your browser settings. The way to access these is different for each browser, but there’s usually a gear icon somewhere, or even a text-menu option most clearly labeled “settings.” From here, you’ll want to find the “privacy” and “security” options.

Pay attention to settings that mention “third-party cookies.” You’ll want to block these if your browser allows it. These cookies follow you around on the web, tracking you and helping advertisement corporations build a profile on you, so you’ll want to avoid these as much as possible. You’ll also want to turn off targeted/customized/personalized advertisements if you can, or at the very least, limit them as much as your browser allows you to. Check your security settings and permissions; you will probably want to turn off location-tracking and any option for the browser to send usage data back to the parent company (this is usually spoken of in terms of improving the service by sending usage data, crash reports, etc). If your browser gives you the option, check the boxes that say things along the lines of “tell websites not to sell or share my data” and “send websites a ‘Do Not Track’ request.”

“Do Not Track” is a privacy preference available in many web browsers that has been likened to to the “Do Not Call” registry for telemarketers. It communicates to servers that a user does not want to be tracked/is “opting out” of cookie collection and other details being shared with a website. Unfortunately, there is no law requiring that advertisers comply with users’ “Do Not Track” signals. Some sites do honor the request, so it’s’ worth setting up “Do Not Track,” but keep in mind it’s not a foolproof protection and you should still take other steps to manage your privacy (Lifewire).

Email settings

Like browsers, your email account will have some settings that you can tweak to better protect your privacy. This is especially important if you’re using Gmail, which, like all Google products, is notorious for collecting large amounts of user data, as discussed in a Wired article. No matter what email service you’re using, and whether it’s for work, school, or personal uses, be sure to check out your settings. And keep in mind that if you are using Gmail, the privacy settings are housed not on Gmail itself but on your Google profile. This takes a few extra steps to navigate to from your Gmail, but it’s worth the effort.

Like in browser settings, you’ll want to stop things like “web & app activity,” “location history,” and perhaps most importantly, personalized ads. Something that feels particularly egregious on Google accounts is the option to “decide whether Google search shows you personal results based on info in your Google account.” This may sound innocuous, until you remember discussions of filter bubbles, and biases in search engines based on location, race, and a variety of other factors.

Website settings

Of course, every website is going to have different settings, so a true rundown would be impossible. One point to remember to look out for, though, is cookies. Reject any cookies that you can, only allowing those that are essential for a website to run (you won’t be allowed to turn these cookies off, even if you can reject the others.) Some websites and applications may have more in depth privacy settings like those discussed above. Pay special attention to any settings that allow you to control what data gets shared with third parties.

Switching Services

Going a step beyond changing privacy settings in the services you’re already using, you might consider changing services altogether or, at the very least, installing some plug-ins to help protect your privacy.

Browser Extensions and VPNs

A browser extension is a small “add-on” that you can access via your browser’s built-in extension “marketplace” and install. Extensions can perform a variety of tasks, but here we are focusing on ones that are intended to protect your privacy. Keep in mind before downloading any extension that extensions themselves and present security and privacy concerns! Extensions are granted a variety of permissions when you install them, and a malicious extension may do things like steal your passwords or sell your data to third parties, exactly the kind of thing we are trying to avoid. Always do your research before you install any extension to make sure it is trustworthy. That said, some well-known and well-vetted extensions that protect your privacy include:

• AdBlock Plus
• UBlock Origin
• PrivacyBadger
• Disconnect Private Browsing

These extensions help to stop trackers by blocking ads, tracking cookies, and scripts meant to follow you around the internet and build profiles on you. No matter what browser you’re using, it’s a good idea to pick a privacy extension and download it.

Another “add-on” that you can download to protect your security before you go about completely switching the services you use is a virtual private network, a VPN. As explained by PCMag.com, VPN’s create an encrypted connection between your device and a remote server. All your internet traffic gets routed through to the server, which makes it harder (though not impossible) for you to be identified and tracked online. You may especially want to consider installing a VPN if you frequently use public Wi-Fi networks.

Safer Services

Of course, you can take all these precautions, however if you continue to use a browser like Google, which as previously mentioned, collects a large amount of user data, your data is still at risk of being sold to the highest bidder. Changing privacy settings, stopping trackers, and blocking cookies can do something to protect your data, but continuing to rely on services that want to harvest and make money off your data is not doing yourself any favors. This next step requires a bit more effort on your part, but if you’re serious about your privacy, you should consider switching services.

Services like those offered by Google are certainly tantalizing. They’re easy to use, they’re integrated with other services and websites across the internet, not to mention other hardware devices like Google Pixel (or, if we replace “Google” with “Amazon”, we could talk about Alexa), and, perhaps their greatest draw, they’re free. But if you take a step back to consider how Google makes money off of products like Gmail and Google Drive, you’ll realize that they’re not really free. Sure, you don’t have to spend any money…but the company makes their own money by harvesting and selling your data. This makes sense, if you think about it. Why would a company give away its services for free? To build a large userbase that they can then collect massive amounts of data from to sell to advertisers.

It’s not the case that every free service is indiscriminately selling your data. Mozilla offers Firefox, a free browser that cares about your privacy. Some other privacy-centered services, like Cryptpad, offer free plans that have less features than their paid plans but are still usable. However, a good rule of thumb is to be cautious about free services.

A good place to turn is small, open sourced companies and products. According to opensource.com, the term refers to “something people can modify and share because its design is publicly accessible.” However, today, it designates a broader set of values that “embrace and celebrate principles of open exchange, collaborative participation, rapid prototyping, transparency, meritocracy, and community-oriented development.” Benefits of this type of software include giving the user more control and more security (because anyone can modify open-source software and then correct errors the original authors may have missed). Of course, just because something is open source, that doesn’t immediately mean it’s safe or that it values privacy. However, keeping these kinds of products in mind is a good place to start.

You’ll also want to consider using encrypted products. These are especially important when it comes to storing and transmitting potentially sensitive data. So, instead of Google Drive, you might want to use something similar to CryptPad. Thanks to its encryption, the company behind CryptPad cannot access and read your files. The same cannot be said for Google Drive. Similarly, email providers like Proton Mail allow you to keep your email communications safe via encryption.

Some browsers and other services that are recommended for privacy:

• DuckDuckGo
• Firefox
• Brave
• Proton Mail
• CryptPad
• Icedrive
• Sync.com
• Signal

Obfuscation

In their book, Brunton and Nissnebaum offer ways to fight today’s pervasive digital surveillance using obfuscation. They intend to start a small revolution, one especially suited for the “small players” aka those of us on the weak side of the world’s information-power dynamics. These obfuscation tools are not meant to be a replacement for legal regulation and governance, but rather an addition to the privacy toolkit available to all of us.

examples of obfuscation

One of the clearest examples of obfuscation comes to us from the pre-internet world during WWII. Planes would release “chaff”, strips of aluminum foil-backed paper, to confuse the radars of enemy planes. It “taxed the time and bandwidth constraints of the discovery system by creating too many potential targets,” allowing the plane time to get past the range of the radar. Many forms of obfuscation work best as “throw-away” moves to buy some time.

Examples of obfuscation on the internet today include Twitterbots filling hashtags with senseless “noise” in the form of nonsense tweets, “TrackMeNot,” software that automatically generates search queries from a “seed list,” thus sending out realistic but “false” searches to foil algorithmic profiling, and AdNauseum, a browser plug-in that clicks on every ad it encounters, also foiling profiling.

diy obfuscation

Using obfuscation can be a simple strategy if you’re downloading obfuscating plugins and software, like many of the things we’ve already discussed in this chapter. However, if you have an interest in programming, obfuscation can become a much more complex strategy wherein you use obfuscation principles to create your own tools. If you’re going to do this, there are two “categories” to keep in mind: goals and implementation considerations.

Goals

The goal considers the specific type of threat that you are creating a tool to fight against and what you are intending to accomplish with that tool. You can have more than one goal, and in a way all these goals build upon each other as you continue, like rungs on a ladder.

1. Buy some time. Like the radar chaff, you only need to buy just enough time to accomplish your goal and avoid detection/identification/data harvesting.
2. Provide cover. In this way, you conceal one action within another action.
3. For deniability. This prevents your adversary from connecting actions to actors, particularly useful when your adversary wants to be sure it has the right person in connection with some specific action they took.
4. To prevent individual exposure. This allows databases to appropriately keep aggregated data for research purposes without that data being connected to or usable to observe any specific person.
5. To interfere with profiling. This is if you want to stop, for example, your search engine from creating an algorithmic profile on you based on your search history and using that profile to alter the results you get for future searches.
6. To express protest. Useful if you want it to become clear to companies that you’re obfuscating your data as an indicator that you do not approve of their data collection practices!

Implementation Considerations

These are questions that shape the components of a particular obfuscation project. Ask yourself, “is my project…”

• Individual or collective? Can it be carried out by just one person or does it require collective action? Some will work better if many people make use of it, while for others the opposite is true and many people using the tool may reduce its effectiveness.
• Known, or unknown? Will your method work if your adversary knows its being employed (such as if you’re using it to express protest) or does it need to remain unknown and undetectable?
• Selective or general? Is your obfuscation tool directed at a specific adversary (i.e. Facebook) or will it work against anyone who may be trying to collect data about you? Are you being specifically targeted, or is this a more general collection and aggregation of data?

conclusion

While it is important that governments and other regulatory agencies make moves to protect our privacy, we cannot rely on them at the moment. Data collection, aggregation, and selling is currently legal, even though the practices are unsavory and something we’d like to protect ourselves from in order to preserve not only our own privacy but the privacy of others. Under those circumstances, we have a variety of technical tools to turn to in order to protect ourselves from the bigger powers out there who are hungry for our data and the money it makes them.