Hacker News new | past | comments | ask | show | jobs | submit login
Steps For Better Online Privacy (npr.org)
69 points by Sami_Lehtinen 5 days ago | hide | past | favorite | 44 comments

I think this is a good place to talk about the fact that all U.S.-based technology companies have to provide requested data stored on servers regardless of whether the data are stored in the U.S. or on foreign soil. https://en.wikipedia.org/wiki/CLOUD_Act

This, with the huge amount of tracking from most tech companies means that the U.S. government basically can get almost unlimited information about anyone, wherever they are. Kinda scary if you ask me. Then again, after the Snowden revelations, this doesn't surprise me.

I just set up pihole recently and it blows my mind how almost 15% of requests are trackers/garbage. I highly recommend setting one up and donating to them if possible. You can always use balena if you're not tech savvy enough [1]. The easiest solution is to use AdGuards DNS that has most of these blocked for you [2].

[1] https://www.balena.io/blog/deploy-network-wide-ad-blocking-w...

[2] https://adguard.com/en/adguard-dns/overview.html

That's actually low! Once you add some custom lists, it'll go higher than that. The lowest ratio of blocked requests I see is 38% on mine. When I use a news reader app on my phone, it goes up to around 55%.

Any custom list suggestions?

I don't pay much attention to which is which; if you search for "pihole adlist" you'll find lots of recommendations.

FYI: You can add the list URLs in the web interface to "Group Management > Adlists" It took me a while to realize that.

Many thanks!

I’ve been thinking about doing this as a weekend project.

Does the hardware limitations of the pi mess with download or upload speeds at all?

Any weird sites that don’t work with it running?

How much better is it than something like ublock origin?

> Does the hardware limitations of the pi mess with download or upload speeds at all?

Not at all (at least for me on a 100mbit connection with the Pi 3B+). I've read you could even use a pizero if you don't care about the Web interface being all that snappy.

> Any weird sites that don’t work with it running?

You set your own blocklists so you can choose how permissive you want to be. I have something like 1MM blacklisted URLs and rarely find sites to be completely broken. It's easy to temporarily pause the blocker, or add a single domain to the whitelist.

> How much better is it than something like ublock origin?

uBlock origin has the advantage of hiding content directly from the page, whereas pihole tends to leave a greyed out box where the ad used to be. I tend to use both at the same time anyway.

Not OP, but I'm using NextDNS -- the managed version of a PiHole. I have uBlock Origin and uMatrix in all my desktop browsers, and I'm seeing around 15% blocked queries on NextDNS. Most of the blocked traffic seem to come from my mobile devices.

It's just a self hosted DNS so there shouldn't be any speed reduction (goes straight to Google's DNS if it's not blocked). It very different from ublock origin that reads the html directly from the website. Since it's DNS based, it's not perfect hence why they recommend using pihole + ublock origin. The nice thing about it is that it blocks most ads pretty well (even on your phone) without breaking anything if you use the right host list, and blocks all the telemetry network wide (if you change the DNS on the router).

Do you have to use Google’s DNS?

I’m currently trying to phase off my dependence on them.

Gotta wonder what kind of ad tracking/targeting they do based on DNS lookups you send them

There are multiple DNS options. Or you can just use Unbound and be your own DNS.



You can configure any DNS server you like

Just put Steven Black's host list[1] in to /etc/hosts

Not sure what, apart from extra cpu cycles, pihole adds over this.

[1] - https://github.com/StevenBlack/hosts

I used to do that, but then all of those blocked domains start appearing in the ssh auto-completion alongside those configured in ssh config, which gets annoying.

I prefer dnscrypt-proxy over PiHole if you don't want a UI.

NOTE: A benefit of PiHole/dnscrypt proxy on a local server like the raspberry pi is that you can use it across your devices instead of just on your laptop.

Big advantage for me is network wide blocking on all devices with one central location to manage lists.

How ironic that the balena.io site uses Google Analytics!

My advice: install Firefox on your mobile device. I took way too long to get a mobile browser with an ad and cookie notice blocker. It also lets you block third party cookies.

Pihole is also nice, but my router won't let me set it as the default DNS. Neither will my Chromecast.

Your router most likely will allow you to set ITS DNS to your local PiHole. So the DHCP will hand out your home router's IP as DNS server, but that in turn will access the PiHole as DNS server.

Your chromecast will NOT use your DHCP supplied DNS settings, it goes straight to google's.

My network is setup so that all DNS requests are redirected to my Pihole.

Understandably, if you can't even change your router settings then this probably isn't possible. I'd consider putting another router in front of the non-configurable router in order to give yourself and control of your own network (or, preferably, replace non-configurable router altogether).

Most users can't or won't be bothered to take hardly any steps to improve their security or privacy.

Only after they lose control of their email or bank account (or lose an entire physical device) do they confess to having followed none of the recommended prevention measures.

Granted, it really is a drag and a time cost to try to follow good practices. I hate the extra password manager and authy steps on my phone when I'm in a hurry. It can be a real challenge to juggle apps and find your way back to the app which you are logging in on (twice or three times! - copying username from bitwarden, switching back to paste it in the username only page of the app, then repeating to do the password, and then finally switching to authy for the 2fa and back). No typical user is going to suffer this in the name of security.

Some fundamental changes need to be made to devices, UIs, apps, and even legislation to improve this. Cookie popups are not the answer (especially when the pop-up is so large that it doesn't even fit entirely in the visible area of my giant phone).

> Most users can't or won't be bothered to take hardly any steps to improve their security or privacy.

An anti-virus was the first thing anyone installed on their PCs in the 2000s. I think we would soon see a similar trend for Mobile devices.

Woefully enough, a lot of anti-virus vendors instead are now among some of the worst offenders in terms of not respecting their user's privacy. Their privacy policies are a stuff of nightmares.

Turning off ad personalisation requires you operate under the assumption that the ad companies can be trusted. If you're actually concerned about your privacy (and security) you should at the very least install uBlock Origin. After suggesting that to family members the amount of "tech support" I need to do each year went down substantially.

Setup PiHole on a Raspberry Pi a day ago. It’s blocked so far 4800/20000 queries to the internet. Until I had PiHole I didn’t realise how prevalent tracking was. With the correct router that allows you to configure the DNS you can protect all the devices connected on your network without any other configuration, otherwise you have to configure in the individual devices. Great for mobiles and TVs where you can’t add an ad blocker.


Definitely giving these guys a donation, doing the lords work

This all feels like you’re getting a false sense of security.

Great, you are reducing your footprint but what remains is undeniably vast.

The article recommends basic security and privacy precautions, such as using strong passwords, being aware of phishing scams, and avoiding apps with excessive permissions. The article's slight against ad blockers is a mistake, since uBlock Origin on default settings is both effective and low-maintenance. Besides this, most of the recommendations seem like good suggestions for everyone, even if following them isn't enough to prevent all types of tracking.

We have an article in our constitution (ca. 1999?):

> "Every person has the right to privacy in their private and family life and in their home, and in relation to their mail and telecommunications."

> "Every person has the right to be protected against the misuse of their personal data."

If yours doesn't already have one, I'd recommend the addition.

Serious question, not trying to be snide, but aren't all the American companies tracking Swiss citizens anyway? Or is there some strong enforcement I am missing

Exactly the selfish reason why I recommend the practice be more widespread :-) The trick to bootstrapping is to start with either a scratch chicken or a scratch egg.

(not that there's much hope of the particular case you mention. The most recent amendment proposal to the US constitution that has actually been ratified dates from 1971: https://en.wikipedia.org/wiki/Twenty-sixth_Amendment_to_the_... )

Bonus image: https://c8.alamy.com/comp/ERH50D/the-adventures-of-baron-mun...

To point 3 - Protect what matters most - please do check out Peergos (https://peergos.org). We provide private and secure online storage that collects no metadata and is not dependent on DNS or TLS.

Disclaimer: I am one of the Peergos devs.

a bit ironic to be greeted with this note (at least in the EU):

> By choosing “I agree” below, you agree that NPR’s sites use cookies, similar tracking and storage technologies, and information about the device you use to access our sites to enhance your viewing, listening and user experience, personalize content, personalize messages from NPR’s sponsors, provide social media features, and analyze NPR’s traffic. This information is shared with social media services, sponsorship, analytics and other third-party service providers.

EDIT: to be fair to NPR at least they offer a plaintext alternative. You don’t see it much with other websites.

A site about privacy with a cookie approval wall. Couldn't make it up.

> Soltani says he rarely recommends steps such as using ad blockers or VPNs for most people. They require too much attention and persistence to deliver on privacy, and even then they are limited in their effectiveness.

Decent article, but a bit light on easy-to-use, practical details. They seem to make the case that ad-blockers are ineffective and too much of a hassle, but that's not my experience at all. I agree that tracking and privacy is a cat-and-mouse game, but I think ad-blocking currently is one of the easiest and most effective ways to block trackers. I installed uBlock Origin on my family's computers a couple of years back, and it has Just Worked™.

The next logical step would probably be PiHole or NextDNS for deeper blocking than some browser ad-blockers, as well as for blocking outside of a browser. I have DoT set up on my router and most off my portable devices, and there haven't been any hiccups yet.

All bets are off once tracking is implemented server-side though. The way GDPR currently has been enforced has led to a lot of bad practices by the tech industry, so we'll probably need new laws that regulate data gathering.

This article is woefully short on actionable tips that aren’t already common knowledge.

Some better ones:

- uBlock Origin

- Cookie Autodelete

- a VPN

Please for the love of Jobe stop giving people the advice to use a VPN without qualification

A VPN won't stop you from being tracked online, and using a non-self-hosted VPN is a very, very bad idea if "not being tracked online" is something you care about.

VPNs help a lot in obscuring your physical location. Most people seem to forget that an IP is a coarse location.

A VPN plus regularly deleting most/all cookies actually prevents most of the common and pervasive tracking online.

It also gives access to all that tracking data to a single company who in turn ma

- sell your data now - sell your data when they get acquired - get hacked - give your data to a government that would normally not have access to it

Today, your ISP is probably doing all of that now, with a real billing address & identity. Your ISP is your default VPN. For example comcast sells traffic data to marketing firms. And because they sell that data to adtech, private investigators, the govt and creeps can also buy the traffic log to whatever is in your house.

At least with VPN services, you can change it easily AND you can make it all they know about you is a coarse IP set via paying cash (see mulvad) vs. a fucking billing address. And changing VPNs is a lot less work and has far more options than changing your ISP.

No, it doesn’t. The majority of traffic is TLS encrypted these days.

TLS won't cloak your IP address nor your browsing history from the VPN provider... so, even if the content is TLS encrypted, your VPN provider has to that metadata (+ more) across all sites you visit while connected to their servers. which they can then turn over to law enforcement on request[1], or leave on an unsecured S3 bucket (or similar) somewhere[2].

So yeah, in short, we shouldn't be recommending the use of third-party VPNs without qualification. There are valid use cases sometimes, but avoiding tracking is very much not one of them.

[1] https://securitygladiators.com/fbi-purevpn/

[2] https://nakedsecurity.sophos.com/2020/07/20/7-vpns-that-leak...

Snowden was in, what, 2013? Better late than never. (tim efa pash natim)

Bonus watchlisting: https://en.wikipedia.org/wiki/IBM_7950_Harvest

Privyet ucbvax!decvax!mcvax!moskvax!kremvax!chernenko, kak dela?

Unfortunately not on mobile, but I'll add to you list Firefox Containers, and Self destructing cookies (use only the open source one!). In mobile I use Firefox focus as my default browser. These techniques mean that for most websites you'll look like a new user each time

Don't forget something like Pi-hole - every device on your network benefits from blocking ads!

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact