What steps can the average user do to secure their data privacy?
With all of the identity verification laws in the pipeline, data breaches, and government overreach (mandated monitoring in new cars in the US), what steps can the average person take to secure their anonymity and data and device privacy?
I’m a tech-savvy person but nowhere near the level of a great many. It seems like in the face of overwhelming odds, making small changes is only a drop in the bucket. I have all the data encryption settings enabled on my phone, but I use services like Dropbox and rely on it heavily. I’ve always thought that if the product is free, you’re the product…but I pay for Dropbox, so they shouldn’t use my data for training AI (but they likely are). Setting up a personal cloud seems like a daunting task, as is getting involved in any of the small projects that people have going (decentralized networks, mesh…things, P2P, etc). I’ve focused more on securing my home networks recently so my Ubiquiti devices are restricted in what they can access, but I haven’t actually pen-tested my network yet. I have PopOS! installed on my home desktop because I got tired of Windows’ invasive…everything, but ultimately I don’t know what I’m doing.
There’s probably a great many people out there that feel like it’s hopeless to try to do anything because it won’t matter as there’s such a heavy push to invade, restrict, and monetize our digital lives. What can the average person do to take control of our devices and data?
Use websites instead of apps. Even with the granular privacy settings they can gather much more info about you from an app install than from a web page.
Realistically if one is serious about this, you need to at least:
host your own "cloud" storage on a physical server you own yourself (and that you back up regularly with a physical device stored at a different address for things like fire-protection.
Encrypt all traffic between your devices (including your server, two servers if you don't go to back up physically at an offline location for those who like their back-ups that way).
Encrypt all your storage units
Not allow biometric access to any of your devices.
It gets way, way more complicated with online services and leaving data from use. I won't get into that because it's extremely complicated and depends on what services one uses, what data traces on accepts what other entities get and so on.
Even more so if one is to escape cameras in public places and so on.
I'm also sure people have services they "trust", arguments and reasoning for why a lower standard is acceptable to them, or why some technical work-around reders a data-tracking, law enforcement-abiding service somehow outside that scope.
I'd argue that would break with the standards asked for in the OP. The level of convenience you'd have to give up to secure actual anonymity and/or device privacy would leave a life not looking like a 21st century life. That's the reality.
If you don't trust your device to keep your biometrics locally as manufacturers claim, there's no reason to believe you can type passwords into your device securely.
Others can force you to open a device biometrically. Some places that's legal, others not.
That has to do with data security, not privacy as the OP was asking for. Besides, Android and iOS support periodically requiring you to re-authenticate with a master password to unlock biometric support. This gives a good balance between usability and security. Biometrics also give the added security of not requiring you to punch in your password every time you need to use a secure service. Cameras being more and more common, it's potentially riskier to have to type your master password outside of your own home. Biometrics are not necessarily a less secure form of authentication. There is no hard rule that typing is always better than scanning.
If a state actor has ambushed you, captured your device, and is capable of forcing you to scan your biometrics, they are also capable of hitting you with a wrench as in the famous XKCD comic.
It's very hard to maintain privacy without security, so I don't think they're neatly separable concerns.
That xkcd comic is overused IMO. There's a meaningful category of threat modeling where you assume the bad actors are malevolent enough to use restraint but not going to torture you, ie. regular cops and not the CIA or even a random pickpocket who will flash a phone at your face as they run away but won't beat you up in a busy area. In the US a biometric passcode is not as protected and you can be compelled to unlock a device with a fingerprint/face scan as part of a search and they're not going to bust out the wrench for a passcode. Courts in the US hold that forcing a passcode would violate the fifth amendment so there's additional legal protections. As for the periodic requirement to use a master password, that doesn't help very much, police and criminals have tools to keep a device awake indefinitely after one unlock. Better is to know how to put the device into lockdown mode and do that whenever you are in a place likely to involve police or pickpockets.
Having said all that, I think the better approach is biometric on the device itself (and know how to put the device into lockdown mode anyway) and then use individual apps which require a passcode/pin to access ala signals PIN.
I can recommend Cryptomator as a layer that runs on top of Dropbox, securing you from Dropbox accessing data you don't want them to.
I hate to say give up, but I don't really see how you can do anything about it. Let's assume you disengage from everything, everyone is still selling everything about you that they can, credit records, property records, renting, mortgages, bank transactions. Unless you want to actually do cash only, and live in a squat or something, it's really hard to have many eyes on a reasonable slice of your life.
This is defeatist and looks at the problem as all or nothing. You can take steps to protect your privacy, and while there will still be gaps in that protection it's better than just leaving everything out in the open. It's a game of layers, and you can choose to do more or less depending on how much energy you have to devote to it. Saying that you might as well do nothing at all is how we get to this point.
Theres a few browser settings you could use, imo you know you’re doing it right if some of the notoriously fishy websites like Facebook break.
Most important one I always flip on is the one to clear all cookies and browsing data on close. It logs you out of everything, but persisting logins is super insecure anyway.
At the very least you should pass the EFF's cover your tracks: https://coveryourtracks.eff.org/
There’s an os for that too
This isn't really my area, so I'm just asking out of curiosity. Why is persisting a login insecure? Like in which scenarios is that a concern?