Privacy on the Internet

Jan 13, 2021

The Promise -

Couple of weeks back I woke up to this prompt by WhatsApp first thing in the morning -

Not my screenshot. I forgot to take one. This is off the internet, from an iOS device.

TL;DR - WhatsApp is updating their privacy policy, and they're going to start sharing even more data with Facebook, it's parent company, and if I don't agree to it by February 8th, WhatsApp will delete my account.

Right off the bat this felt like beginning of a bad move by WhatsApp. The moment you start holding your users hostage to a clause, and threaten to kick them out, that almost certainly means that something is wrong. This quote is from the explainer posted by Internet Freedom Foundation -

Recently, WhatsApp released an in-app notification forcing users to accept its revised privacy policy by 08 February 2021 or stop using its service entirely. The new privacy policy confirms that Facebook may now have access to messages shared with businesses on WhatsApp and it provides more insight into expansive meta data collection by WhatsApp. The latest changes to WhatsApp’s privacy policy cement the problematic status quo which has existed since the privacy policy was first updated in 2016.

What IFF is mentioning there is the statement by WhatsApp when they were acquired by Facebook in 2014. This is what they said back then -

If partnering with Facebook meant that we had to change our values, we wouldn’t have done it. Instead, we are forming a partnership that would allow us to continue operating independently and autonomously. Our fundamental values and beliefs will not change. Our principles will not change. Everything that has made WhatsApp the leader in personal messaging will still be in place. Speculation to the contrary isn’t just baseless and unfounded, it’s irresponsible. It has the effect of scaring people into thinking we’re suddenly collecting all kinds of new data. That’s just not true, and it’s important to us that you know that.

The prompt billions of WhatsApp users received on that morning goes against everything that was promised. So this set off an alarm.

The burning matchstick -

People started to talk more about this. A lot of people accepted this prompt without reading because we're not used to reading terms and conditions. But then later they realised what just happened, and they also got angry. The last straw was this tweet -

Elon Musk asks his followers to use Signal

Thus began the great WhatsApp exodus.

Privacy and Facebook -

People who've never heard of Signal, started joining it. My contacts who are usually the farthest from what you'd call a "Techie", started joining Signal. All in the search for "privacy". This set off a series of conversations in many groups I'm in because most of the people I talk to are techies, and we've been Signal users for years. We've never been able to use it as a regular messaging app because none of our other contacts were using it. But we still had it with us all the time, just in case we needed to have a private chat.

What's interesting about this mass immigration to Signal is that people are talking more and more about what "privacy" means on the Internet. So what if we leave WhatsApp, when we join Signal/Telegram they'll have our data, right? What's so different about it? How does it even matter? Some people started saying that if you move from WhatsApp and still use Instagram, that's just plain hypocrisy. Because of course Instagram is also owned by Facebook. And it's arguably more data hungry.

I had these conversations many a time with many people over the years. So I thought I'll just write about how I see it, what "privacy" means to me, what "privacy" looks like on the Internet, and how I try to protect my privacy on the Internet.

Before I get to what "privacy" means to me, I want to talk a bit about "Facebook". First of all, if you didn't know, Facebook is primarily an advertising company. The only way Facebook makes money is by selling you ads. That's it. At this point, I'd request you to go through this Twitter thread that talks a bit about what Facebook is -

This is the relevant part about Facebook -

Facebook

And that's about it. No, Facebook is not just a website to post about your day, your trips, your food etc. To you, you may use it just for that, but what Facebook does, is to take everything you post, and turn them into data that can be used to show more ads to you or somebody else. Every single thing you post, is linked to you, people of your gender, age group, ethnicity, country, etc etc and then more relevant ads are served to them. That's entirely what Facebook does to make money. And that's also how Facebook, Instagram and WhatsApp are free.

Facebook is not just another company. The company literally has no moral compass. It'll do anything to make money. Even if it means literally poisoning your mind with misinformation, or experiment with you to see what kind of posts make you more angry. And you also literally can't quit Facebook. Even if you delete your account, Facebook has said that it'll still keep tracking you. That's how worse they are.

And that's about what I know about Facebook. And these are all facts.

But I still have an Instagram account. Even though I barely use it. I still have them. But why? If I cared about my privacy, wouldn't I delete it right away?

This is where the definition of "privacy" comes in -

Privacy is the ability of an individual or group to seclude themselves or information about themselves, and thereby express themselves selectively. When something is private to a person, it usually means that something is inherently special or sensitive to them.

The key phrase here is "the ability of an individual or group to seclude themselves or information about themselves". Having privacy means having a choice to seclude yourself or the data about yourself. It can be in real life, and on the Internet similarly. Just as living your daily life doesn't mean you must give up your privacy, in the same way, just using the Internet doesn't mean that you must give up your privacy. I use Instagram from their website and not the app. So Instagram only gets the data I share. It can't snoop on my phone without my knowledge.

This is why companies like Facebook deploys all their time and money into deceiving you to share as much data about you as possible. To a point where you start thinking that there is no point keeping things to yourself anymore. Or rather, it's good to share everything about yourself with everyone on the internet/or the platform, because that's the normal thing to do.

I have people asking me if I'm actively hating Facebook but still using X or Y company, doesn't that make me a hypocrite? There is a good chance you'll face the same question as well if you go down this path. But that's a dangerous line of thought. What they essentially mean by that is, if you use the Internet, then your privacy is compromised. If you stop using Facebook, you must also stop using X/Y company. But that's the real life equivalent of leaving the civilization, and going and living in the woods to protect your privacy. You can be that kind of extremist, but I won't recommend it. To me privacy is being able to choose what I share and with whom I share it. Just like in real life you may trust one person with your secret but not another, similarly you should be able to choose X company with your data, but not trust Facebook (seriously, Facebook is horrible).

Decentralization -

When you start thinking like that, a plethora of options open up for you. And you also stumble upon this concept called "Decentralization of data". Just as they say, "Don't put all your eggs in one basket". Same way, don't share all your data with one company. Your data is more valuable when they can be linked to each other. The moment you decentralize, your value to these companies suddenly go down, and they stop making as much money from you as before.

But how does "decentralization of data" looks like on the Internet? That's exactly what people are doing by moving away from WhatsApp right now. Suddenly Facebook has no idea who you're talking to, at what time, from where etc. The value of your data just reduced a little to Facebook. It'll become minimal when you stop using all products by Facebook, but one step at a time.

Signal -

When you move away from WhatsApp in search for private chat, that's where Signal comes into the picture. If you think Signal is just another messaging app, just like WhatsApp, you'd be wrong. Signal was created to let you chat privately with anyone. The only reason they exist is to let you have a conversation privately. But how do they do it? How do you trust that they're not taking your data like WhatsApp? It's easier in this case. Signal is completely open source. And thousands of people over the last half decade has audited their code and helped them weed out vulnerabilities. That's the power of open source.

I've heard this question by some people that if a software is open source, wont it get hacker more easily? That could be true if the software's code was made open just now and nobody has seen it. But in general open source software are more reliable because people can read their code. There are more eyes on the code,  which means more bugs are reported and fixed. The software gets hardened in the process.

So how does Signal keep your data private? They implement something called end-to-end encryption, ELI5 version of which is that, only you and the person you're talking to will have the keys to the encrypted data. So even if the data is saved by Signal, they'll never be able to read it. That's just how it works. There is a newbie friendly explanation of it at Wired. You can read more about the Signal protocol on their wiki page.

WhatsApp says that they've also implemented the Signal protocol themselves for your data. But they still have access to the "metadata" for your conversations which they keep. "Metadata" means all the information about your conversations. Like -

  • when you're online (this can indicate when you wake up, when you sleep, when you work),
  • who you're talking to,
  • when you talked to them (this can easily indicate your intimate relationships, and they already know who you're talking to),
  • how much you talk to someone,
  • from which location (this can easily indicate where you live, when you're home or not),
  • which business you're buying something from (this is dangerous as our shopping habits tell a lot about us, like, if you're talking to MakeMyTrip, then you're traveling soon etc),
  • using what handset model (this can give idea about your wealth level),
  • using what operating system etc.

And that information in itself is valuable. A lot can be known about you from all of that. And hence WhatsApp keeps this data, and sells it to other companies to show somebody (could be yourself) more ad somewhere. Because that's the only way they earn money.

Signal avoid a lot of this by design. For example -

  • Signal never uploads your address book to their server. Instead, the Signal app calculates a SHA256 hash of each phone number, and then checks that against the hashes of all registered users. Hence avoiding creating a social graph of you that can be sold to someone. If you think that Signal could somehow extract the phone numbers out of the hashes and use that, why would they go into all that trouble when apparently people give away their address book to apps like Facebook and Instagram without a second thought?
  • Signal Protocol also encrypts the "metadata" of your messages by design. The stuff that makes WhatsApp money, Signal can't even access it.

Also, according to the new privacy policy of WhatsApp, if you chat with a business, that conversation won't even be encrypted. WhatsApp is free to see what you're talking to a business about. When you think of it, it makes sense. The only reason you'd talk to a business is if you're buying something. And having access to that data makes it easier to show you more ads.

This is a nice chart that shows how much data some apps have about you -

They collect the same or more data from Instagram as well BTW. Instagram app has been accused of listening to your conversations all the time and then suggesting you ads based on what you talk about.

Signal avoids all that by design. You see, technology to protect your privacy exists. They just don't make enough money for most companies. So they don't use them. You have to seek the tools out that protects your privacy.

There's an app for that -

This is a good spot to be aware of the apps and websites you use and how they treat your data. Because we're talking about trusting each app/website individually, you should be conscious about what data you share with each of them. For example, when you use a website, the website only gets the data the browser is able to share with your permission - your IP address, your browser version, your geo-location (they'll have to ask you for it first), your Internet service provider etc. Not a lot more. But when you use the same company's app, they instantly get access to a lot more. Which is why almost every other website asks you to install their app. Some companies even reduce functionalities of their mobile website so that you are forced to install their app (Yes, I'm looking at you Zomato).

But there are still some companies that are acting considerate and lets you use their mobile website almost at par with their app. E.g. Instagram, Ola, Scripbox etc. And a lot more. When you open a site on your mobile browser, look for the "Add to home page" button for that website. It's a technique called Progressive Web App (PWA) that lets you run a browser tab as a standalone app. And it still abides by the permission provided by the browser.

But as we cannot avoid installing the apps sometime, we need to be vigilant about it. Don't install apps that -

  • have low rating on the app store
  • build by a developer who looks shady or has a bad history
  • relies heavily on ads without a way to turn them off, which could be by buying the app
  • asks for permissions that are unnecessary to the functionality of the app. E.g. - Why does the Hotstar app need access to your camera, contacts, location, microphone, and also see a list of the other apps you have installed? You just want to watch your favorite series. Do you really have to give away this much data just for that?

It's good that a lot more people are talking about privacy now. And the discussions should include these questions. If you reject these malpractices of these apps, they will change. They do these things because we're OK with them.

Ads, ads, everywhere -

One topic related to Facebook that shows up a lot, is advertisements. Ads are the bane of the Internet. To such a level that the brightest minds of our time are being paid toppest dollar just to figure out how to show you more relevant ads.

Ads don't just tell you about an irrelevant product you don't want to buy, they also track you. They track that you saw that ad, from where, at what time, from what IP address, and if they can link you to your account details, then they link all that data to your demographic, as in, that people who look like you, of your gender, of your ethnicity, of your age group, saw that ad at that time. And if you click it, they link all your demographic data with that click, saying that the ad was successful in getting a click in demographic. Yay.

To understand why ads are bad, and why Facebook puts so much money in it, you should probably know that ads don't just tell you what to buy, ads also decide how you think about something. Be it ads on TV, radio or the Internet. Ads exist to manipulate you, to think in a certain way.

You know how breakfast is the most important meal of the day? Guess what? It actually isn't. It was a group of lobbyists who needed to sell more sugary cereal that printed ads everywhere in 19th century that actually made people believe this lie. And we're still buy corn flakes covered in sugar thinking it actually is a healthy breakfast choice. Also, no. Complan/Horlicks wont make you taller, stronger, and sharper. They're also mostly sugar.

Similar examples are everywhere. No, using fairness cream doesn't make you successful in life. No, using that particular brand of paint doesn't save your house from rain. No, using that detergent doesn't make your clothes more white than others. No, that brand of oil is not healthier than the other brands of same oil. No, despite what ads show you all the time, mothers don't belong in the kitchen. Yet, ads have been successful for decades in making us believe all that. You'd still buy a brand name that you've heard most. You'd still buy fairness cream because it gives you confidence, as ads have made you believe. And women can't seem to get rid of the stereotype of belonging in kitchen for some reason. hint hint (This is a broad topic, but do keep an eye on how our media/ads portray traditional gender roles around us)

We believe what we see around us. If you continuously see posts and ads that says X is good/bad, you're more likely to believe it even if you don't realize why. Most of us humans are driven by trends. We're more likely to believe what our social circle is talking about, without thinking critically about it.

These are all examples of TV/radio ads. It's even worse when it comes to online ads. Because almost anyone can post ads anywhere online for very little money. And can manipulate you however they want. Facebook, for years, has actively denied taking down ads that spread misinformation to manipulate people. And it's not just in US. There is a reason that political parties in our country as well spend crores on ads on Facebook. Because it works.

And it's not just ads. Facebook manipulates your timeline to show you only certain types of posts. Usually posts that make you react, irrespective of if it's in a positive or negative way. When you spend all your day looking at ads and a hand crafted stream of information, it's really easy to manipulate how you think about something.

Next time you ask for that particular brand of product from a store, ask yourself, why did you choose that brand and no all the others? There is a good chance that they're all the same. They're all manufactured by the same company somewhere, and then rebranded and kept in front of you in different packaging. And yet you picked one particular brand and not the others. Why?

I'm not sure if I was convincing enough about how bad ads are. But if you agree, then here is my suggestion - do everything you can to block ads on the Internet. Thanks me later.

There are several ways you can block almost all the ads on the Internet. Making a list of things you can do based on your platform/usage of the Internet -

  • Desktop browser - Use ublock origin browser extension. It's available for all major web browsers.
  • Android/iOS - Use Blokada. It's available on F-droid as well.
  • If you control a wifi network that several people connect to, you can get a Raspberry Pi, and install Pi-hole on it. Pi-hole can block ads on all the devices connected to the same wifi network without any extra effort on any of the devices(e.g. phones, tablets, laptops, desktops, TV etc).
  • You can also use a service like nextdns. It helps you block ads by using their DNS servers.

This is what my Pi-hole looks like -

A 6 year old Raspberry Pi 1 B+, still running strong

And this is the pi-hole dashboard -

This is the amount of junk we face everyday on the Internet. Do something about it. Trust me, Internet will feel much more refreshing, and better without ads. (BTW, you can use any of these options to block all of Facebook's urls. Nothing from Facebook will load on any of your devices. To Facebook, it'll seem like you've disappeared from the Internet.)

Caring about privacy -

Caring about your privacy is a journey. Don't expect to achieve what you want on a day. It'll take time to get there. But as long as you think about your privacy, you'll be in much better position than a lot of others.

Let me know what you think. You can tweet me. Or find me on Signal/Telegram. :)