So this is just my “functionally paranoid” (the motto of OpenBSD, by the way) estimate of where things are. I’ll describe two problems, one of which I call the trumpet problem, and the other is plain theft.

Trumpet

There’s a lot of security to be had involving encryption. When you visit a website using https://, you establish an encrypted connection so that the data is garbled in transit. Still visible are the source and sender. So then you use a VPN, which separately encrypts a connection between you and the VPN provider, so that you seem to be somewhere else — you seem to be somebody else, from a networking perspective. This is a pretty good set-up for excluding casual threats along the way for most of the length of the connection between you and the website you are using. An obvious vulnerability is a weak or dishonest VPN provider, which happens a lot. Still, one of the more effective reasons to use a VPN is to prevent your ISP (Verizon, say) from collecting that tasty, tasty metadata about where you go and when, and in what combinations. Although the VPN ends at some point, it carries you safely past the ISP who knows a lot about you. Also, the VPN encrypts everything, not just browser connections one at a time. https:// doesn’t protect your local email application’s traffic, but your VPN does.

Think of this more-or-less secure connection between you and your chosen website as two metal pipes — one of which goes from you to your VPN provider, and a narrower pipe inside that one that reaches past the end of the VPN pipe all the way to the website’s server. Yet there’s still the problem of the open ends of the pipe. You have no control over the far end, and in fact, you have very little control over the near end either — “your” computer.

The attack surface expands greatly at the near end, like the bell of a trumpet and is anyway open to you, as well as to anybody who manages to attach to that big flaring bell. The distant server end is more like the mouthpiece of the trumpet. It’s typically better-managed, using more securable technologies than your PC at home. So yes, each of us lives at the loud end of the trumpet, which soothes us with music while the server surreptitiously scoops up our data.

You use a browser to access things on the server. The browser is almost always a full-powered no-kidding executable application on your machine. It has permissions and powers, and access to all of the hardware, software, system calls, configurations, logs, and all of your “personal” files. It has on-board facilities for interpreting many types of mobile code — even HTML is an attack vector, as the browser is just a system for getting instructions (HTML) and content (files) from a server, carrying out those instructions, and displaying that content. “Carrying out instructions” is all that computers do, and those instructions can come from any source.

Websites that show you advertisements almost always simply reach out to an ad-host, pull down some of this mobile code, and stuff it into the content that you wanted from the actual site server. What’s in that advertising mobile code? Who knows? Banner ads, pop-ups, and the like are mad vulnerabilities.

Cookies are files that your browser stores on your computer at the request of … whomever. They typically contain some gibberish which one way or another is meaningful to somebody — just not to you. A cookie can be position-coded, or a unique ID, or a hash of options from a finite set, or plain old encrypted data. The point of a cookie was of course benign at first, so that you didn’t have to log into a site like Amazon every time you surfed to a new page. It established a “session” so that whenever your browser showed the cookie to Amazon, they said, “Oh, it’s you, Bob.” The problem is that cookies were fundamentally a way to write to your computer, store on your computer, and read from your computer. That’s kind of like saying it’s not your computer. There are numerous controls over cookies, which are honored in some cases and not in others. In general, though, it’s bad. The most effective control over cookies is the generally-accepted limit on their size. This limit varies, but it is a limit, which is better than nothing.

Bob’s cookie identified him to Amazon in a fairly secure way. If somebody else had that cookie’s “session ID”, they could jump onto Amazon and act as Bob — a man-in-the-middle attack. A little cookie, a little SYN/ACK tomfoolery, and Bob is no longer your uncle. So https:// encrypts the connection between you and Amazon in order to protect your session ID as well as whatever you were actually doing.

Still, a great many sites want to know who you are, what you’re looking at, what you buy, who you talk to, and so forth. If you can successfully conceal who you are, the rest of that is much less valuable, and your identity must be reconstructed (“de-anonymized”) by those who wish to complete the picture and sell it. Enter browser fingerprinting.

A browser is a program that first knows itself. It tells websites and such what sort of browser it is, what version it is, how much file storage space is allocated to it, whether or not it can use java, flash, DRM systems, and so forth. It then knows about the system it is on, and so it dutifully reports the easy things like OS version, hardware (Dell model 1234), the date the machine was set up, username of the current user, and so forth. Then it gets really interesting. The server on the far end can use straightforward or truly subtle trickery to tease a lot more information from the browser. Straightforward would be asking what the video card is, what the current resolution and max resolution of the screen are, the window’s size. Subtle goes into things like exporting a list of all wireless access points in view as well as the signal strength indicated, and timing responses from the video system.

The browser doesn’t have to be told what typefaces (“fonts”) are installed on your system — it will just attempt to write meaningless phrases on a screen that doesn’t exist in every typeface that the server knows, and the browser reports success or failure. Now the server knows more than the browser does about your typefaces, your neighbors, your exact location, and a partial history of places you’ve been (say, cached wifi APs). This information when combined provides a numerically formidable idea of your identity.

Typeface analysis alone can greatly narrow the range because your browser (probably) automatically downloads typefaces needed to make various websites look proper. Each individual typeface says little, because each typeface is used by a large number of sites. But they don’t all use the same subsets, and the list of all the typefaces that you have collected will match with subsets of sites that are observed together.

Consider this — your PC certainly knows your own wi-fi name (MAC address if nothing else), and the server trying to figure out who you are can compare that MAC Address (like a networking hardware serial number — sorta) against the records it collects from everybody else. The thing about “just the metadata” and “anonymized” is that they don’t need your data to de-anonymize you. They just need to be able to cross-reference enough data points to nail you: time, place, name, likes, friends, and sites visited. These datasets exist, the number-crunching power required is almost trivial compared to what exists, and there is no turning back. Not one of us will ever disappear from the records. We who were online from the web boom in 1993-94 have left a shining trail, littered with autographed self-portraits. The only thing we can do now is try to limit the amount of data and metadata that we currently leak.

Theft

Yet increasingly, all tech companies are data theft companies. The hardware makers are in on it. The OS makers are in on it. The application makers are in on it. The network, switch, routing, ISP, VPN, backup, file-sharing, heartbeat monitoring, and step-counting people are in on it. Why, there oughta be a law, and of course, there sort of is, but the real target would be a world-changing combination of RICO, contracts of adhesion, privacy, and monopoly law. This will never happen, because of the cozy arrangement between big government and big tech. Tech steals what government is unable to demand, and government protects what tech is unable to defend. They do it together; they share in the spoils.

In general, online services are consumed on your PC by applications, which use the operating system to run on hardware. So: services / apps / OS / HW.

With our trusty metal pipe, we have managed to secure the online services, so that the applications can trust them. The applications need securing. Some are securable, while some are hopeless. My current browser of choice is “LibreWolf”, which you may think of as Brave for Firefox (Brave is a much more secure version of Chrome, and LibreWolf is a MUCH MUCH more secure version of Firefox). LibreWolf by default turns off a lot of the fingerprinting stuff, and there are pre-made config files you can download which go a lot further. Personally, I use the arkenfox config with tweaks. Why not use arkenfox on Firefox? You could (and I would guess that it started there), but the LibreWolf guys actually compile the browser with different options than Firefox, because some of the options cannot be changed through config.

So let us stipulate that my applications are now “secure” (ha!). Next comes the OS, the operating system. Fundamentally, the OS is the part of an application that every application needs in order to run on a computer (like reading and writing files, printing, getting online, accepting keyboard inputs, and showing things on the screen), so they just collect all that junk and make a special application that does nothing but provide those services to other applications. Naturally, this “Operating System” application must be all-powerful — any part of the machine with permission not given to the OS might as well not be on the machine.

When the application needs to store something in a file, all it has to do is bother the OS to “make a file, name it ‘shopping list,’ and standby for me to type until I get sleepy and just tell you to save it and close.” How the OS does that is a matter of indifference for the application. Maybe the OS just opens a pipe right down to the carpet beneath the desk and writes it on the backs of dust mites. Nobody cares. But my goodness, what a tempting target for information filching. This is where the real power is. All of those things that our browser labored to guess and tease from the system, the system already knows.

Say I use the world’s most secure file-encrypting application to store my shopping list on the disk. I create an empty file and encrypt it. I open and decrypt the file, and write things into it. Then I encrypt and save the new version. The operating system just saw everything that I did. Every keystroke was handled by a system call or a running routine. Sometimes lower-level pieces do this (BIOS), but the problem is the same. What if the OS takes my keystrokes and splits (“tees”) my typing so that a copy of it gets encrypted into the file, and a copy of it goes straight to our trusty dust mites? The application has no clue, and neither does the user. And if the OS doesn’t do that, who is to say that the hardware doesn’t? And this is without even considering temp files created while you have it open, or ransacking your “recycle bin.” My goodness is that thing ever aptly named.

So at this point, we’re just speculating. And that’s how it’s likely to stay because much of this is below the level that most people will ever get traction on. Security researchers, bless their Cheeto-clogged hearts, will suss some of this from time to time. Still, consider the opportunity and the capability for this sort of thing to be done. Our dust mites may in fact be a temporary storage device, or a reserved piece of another device, or a temporarily allocated, fleeting location on a CPU, cache, RAM, video, or other chip on the system. It only has to persist until it can be encrypted by a different mechanism, and then stored. Perhaps as metadata in ordinary files like the encrypted blobs in common office files. Not all of the file is in XML; just the parts that you care about. Perhaps the encrypted data is stored as cookies — hiding in plain sight. We expect them to be gibberish, and to a sufficiently dispossessed user, gibberish is indistinguishable from very good encryption. One method would be to include a seeming hash which when actually hashed will produce a known value that advertises “I am a file containing pilfered metadata at typical locations 2 and 47,” and the rest is gravy.

Obviously, the goal is not to steal all of your precious data — the data that is precious to you. This process will ignore anything in your Windows/Win/Win32/System and so forth directories. MS knows what’s in there — they put it there, and the same is true for the Apple side of the house. Likewise, they don’t want your movies, your music, your photographs, your games. Starts looking like a much smaller task now, doesn’t it? They might note the filenames, but they’re not grabbing the files. And if I were actually running this data theft program, and had to prioritize, I would make recently changed files my go-to.

They don’t need to grab your hard drive. Your interactions with it will point them to what they need, a shining trail. They don’t need all of anything. They just need enough small pieces of small things to fill gaps in knowledge. This is how tech will help prioritize the actions of government for when they really do want to ransack your disk, to turn your digital apartment upside-down.

While poking small amounts of data into files and cookies may seem like a lot of trouble to go to in order to get anything useful, consider five things:

1. The value if it were done.
2. The ease of transport.
3. The capacity of your machine to spend its time on millions of tedious tiny things that you don’t care about.
4. The enormous installed capacity of big data.
5. The fact that everything is pushing you harder and harder into cloud apps, sharing files, backing up, logging in, subscribing, validating your existence, renewing your “license,” and so forth.

Notice how all of these apps need to phone home now? And who knows what gets pushed in the endless stream of “usability” updates, not just the security updates. All I know is my purely desktop copy of Office started telling me my login name to a system I wasn’t logged into, right in the title bar, as well as, “not logged in”. Thanks, Windows. Thanks for putting that all together in the background despite the fact that I did not want this copy of Office to be “online-aware” and have never used OneDrive. Granted, that’s trivial compared to the dust mite thing. But boy, are they motivated. They get what they want.

Screwed

I have presented a brief description of a possible method, with some background, some hand-waving (and a little help from our face-eating friends) for exfiltrating data. I am no expert, but that doesn’t mean I’m out here with a dowsing rod calling the geologists fools. I know a little.

I used to think that hiding in the crowd was secure enough. It is certainly true that going all security-conscious will raise your profile for increased scrutiny just in case anybody’s watching. Again, let the user report identify himself through his action. But I now believe that even the herd defense is of little use. The technology has proceeded so far, so fast, that ubiquitous collection is well plausible. I haven’t proven anything, but I try to make a reasonable case (Wake up, sheeple!) that an assumption along these lines is reasonable.

What is left is to try to segregate areas of your life into different channels, and secure those individually, to whatever extent is possible. But that’s a story for another day.