A false narrative dominated CT this week, filled with equal parts misdirection and misinformation that can both be verified and discerned on your own. Chiefly, the highly disruptive Consensys privacy policy update; Metamask will start sending IP addresses along with wallet information via Infura.
This was shortly followed by an army of CT influencers recommending a VPN to protect yourself online, a falsehood that will be uncovered here, along with sources for your individual verification.
https://twitter.com/cryptomanran/status/1596171263453675520
In actuality, VPN’s are old tech, they were only readily adopted for online use some 20 years ago, leveraging the word “Private” toward institutions who wished to protect network infrastructure. Some time later, VPNs began being marketed toward retail for “privacy”.
Whats worse, these cheap “$3 a month” VPN providers actually inherent greater privacy and security risks for end users. These providers often use containerized virtualization services on the same kernel, namely OpenVz v6, a cheaper virtualization software with the drawback of using older, outdated Linux versioning under the hood (inheriting a copious list of vulnerabilities).
Further, by design, the operator of a network (your ISP), and any affiliations (GVMT) can clearly see who is using a VPN via the identification of “encrypted packets” through ISP gateways; a dead giveaway that a user in the network is using a VPN, with accompanying device information and the source IP address. Why would anyone wish to expose themselves in this way? Well, humans are inherently lazy and prefer the simple option, so the narrative of using a simple, one-click solution was both more engaging on social media, while easier for end users to implement and believe true.
The truth of the matter is, the level of privacy we wish to achieve depends on the individual needs of the user. Therefore, these needs are constantly in flux. Identifying user needs involves a certain level of threat modelling. To demonstrate this, let’s borrow an analogy from this article.
What is the best way to protect some diamonds worth a few thousand dollars?
Well, you could leave them in the living room, perhaps your house is secure and in your personal opinion, this is safe. But people can still look in and see you have the diamonds, where they are, and roughly how much you are hiding (equivalent to a cheap VPN). So let’s say you might decide to hide them in a safe, in your house, in an arbitrary room. Now onlookers cannot discern where the diamonds are, but they might be able to see the Safe (Equivalent to a standard VPN). So let’s hide it inside a safe, under the floorboards, in your bedroom. Now, no onlookers can tell if you have diamonds, or if you have a safe, as it’s location safely obfuscated under the floorboards. Go one step further and distribute the diamonds in multiple houses under multiple floorboards (equivalent to a Secure private Network). This is, generally, the level of privacy we wish to achieve online. We do not want our asset information uncovered, and we do not want location uncovered too.
Demonstrably, VPNs are not fit for this purpose. Why use a VPN if someone can see you are using a VPN, from which device, and where? You are only further enabling your discovery. Remember, VPN’s were not initially developed to enable user privacy, rather, institutional device security, only later were they adapted for retail use.
Device information is almost always collected using some type of telemetry, telemetry is simply packet requests and receipts over the internet, and can be blocked.
Portmaster, is a free and open source tool you can leverage to achieve this level of privacy quite easily, blocking the telemetry of applications you do not recognize or do not wish to collect information pertaining to yourself or your device. Thus, we achieve a single identity that is not replying to application requests for device or network information. The diamonds are now under the floorboards.
A better solution might be to multiply and spread your online identities across a “secure” private network (SPN), this way, you can leverage “telemetry minimization” with some level of obfuscation provided by the SPN. Safing SPN achieves this, working in tandem with Portmaster. Much like any VPN service, Safing rightly charge a fee for this, but the network is superior, as SPN “selects the final server (exit node) as close as possible to the destination server (eg: server of a website)”, with the complimentary freedom to choose exit node Geo-location should you require it. Unlike a VPN, which were not originally developed for retail use, the SPN was developed with user privacy as a core tenet. Distributed identities are a masterstroke for identity obfuscation.
Now, having leveraged telemetry minimization and a Secure Private Network, you have safely stored the diamonds in a safe under the floorboards in multiple houses. Making it much more difficult to discern who you are, or where you are, at any given time.
For now, this tool can only be utilized on Microsoft or Linux devices, and I do not offer any solution for a mobile wallet or mobile network protection. But I can recommend you at least reconsider using VPN’s on IOS devices, after divulging the information below, an issue that has been ongoing for some time.
https://www.macrumors.com/2022/10/13/ios-16-vpns-leak-data-even-with-lockdown-mode/
To test the impact of telemetry minimization above, you can use Portmaster to block unknown connections while signing up for a new GitHub profile. I did this, and within 24 hours the profile was flagged as suspicious and blocked from public view. Such is the impact of arbitrary web services reliance on telemetry.
https://gist.github.com/joepie91/5a9909939e6ce7d09e29
https://overengineer.dev/blog/2019/04/08/very-precarious-narrative.html