▲ 16 r/PrivacyToolbox+2 crossposts

Chat control is a technical joke and the EU council knows it.

You cannot have end-to-end encryption with a government backdoor. It is a mathematical impossibility. The Council of the European Union trying to sneak this "Chat Control" proposal through a fast-track written procedure before recess is cowardly, but more importantly, it is a catastrophic security risk.

I manage networks for a living. If I told my boss we were going to scan all internal communications on user devices before encrypting them, I would be fired for introducing a massive vulnerability. Client-side scanning is not "targeted safety." It is local malware mandated by the state.

The 800 scientists who signed the open letter are right. Once the scanning infrastructure is on the device, the security model is dead. It will be abused, leaked, or hijacked. I left a corporate gig years ago because management covered up a state-level surveillance exploit. This is that same philosophy, just scaled to half a billion people.

How are you planning to handle your communication if this passes? I'm already looking at self-hosting Matrix nodes for my family back in France.

reddit.com
u/EnthusiasmRoutine — 6 hours ago
▲ 3 r/PrivacyToolbox+1 crossposts

netnut domain seizure shows why you need to vlan your IoT garbage immediately

Alarum stock crashed 70% because the FBI finally pulled the plug on NetNut. They called it a "residential proxy network," but it was just a two-million-node botnet built on unpatched smart TVs and cheap home routers.

Consumers buy a cheap television, connect it to their main network, and never check the outbound traffic. Your television is literally routing state-sponsored malware because you could not spend five minutes configuring a basic firewall rule.

The entire "residential proxy" industry is built on this exact lack of basic hygiene. If you are not actively segmenting your home network, you are hosting exit nodes for criminals. Check your DNS logs today. Are you seeing weird outbound connections to Alarum or NetNut domains? Block them.

reddit.com
u/EnthusiasmRoutine — 1 day ago
▲ 2 r/PrivacyToolbox+1 crossposts

ATF canceling the penlink contract changes absolutely nothing.

I see people on privacy forums celebrating the ATF dropping their Webloc contract after getting caught doing 300 warrantless location searches. This is typical political theatre. It solves zero fundamental issues.

The actual data pipeline remains completely intact. Adtech SDKs embedded in thousands of utility and weather apps still harvest raw GPS coordinates from your phone. These coordinates are packaged, aggregated, and sold to commercial brokers. Penlink was just a convenient middleman with a clean dashboard. If the ATF cannot buy it directly today, they will query ICE databases tomorrow. Or they will simply wait for the news cycle to shift and sign a contract with a different broker under a different line item.

From my perspective as a sysadmin, this is like finding a critical SQL injection vulnerability in your database and deciding to just block one specific IP address instead of fixing the code. It is useless. You have to patch the underlying bug. In this case, the bug is the lack of strict data sovereignty laws that outright ban the commercial sale of telemetry.

Until that adtech broker pipeline is legally dismantled, this cancellation is just a minor routing detour for state surveillance. I ran from a multinational years ago because of this exact kind of normalized back-door access. It does not stop.

Is anyone here actually changing their mobile setup to mitigate this, or are we just pretending a minor budget cut is a victory?

reddit.com
u/EnthusiasmRoutine — 3 days ago

California's DROP api integration deadline is next month. Here is why I am skeptical of the architecture.

The California Privacy Protection Agency is forcing data brokers to integrate with the DROP platform by August. From a pure systems perspective, a single API to push deletion requests to 600 plus brokers is technically efficient. It beats sending manual opt-out emails.

However, the architecture relies on trust. Brokers query the state system every 45 days and have 90 days to delete and report back. There is zero cryptographic verification. A broker can easily apply a soft-delete flag in their database while keeping the raw backups intact. I have seen multinational systems do exactly this to bypass compliance audits.

It is a minor victory for consumer convenience, but it is not true data sovereignty. Real autonomy requires local-first data minimisation. You cannot rely on a state-run hub to clean up your trail. What happens when the DROP registry itself gets breached?

reddit.com
u/EnthusiasmRoutine — 3 days ago

The supreme court finally killed the third-party doctrine for geofences, but the data still exists.

The US Supreme Court ruling in Chatrie v. United States is a logical correction. The third-party doctrine was always an obsolete legal fiction when applied to modern GPS telemetry. You do not "voluntarily" share your coordinate history with Google just by walking around with a powered-on device. The network stack requires this data flow.

But as a sysadmin, this changes nothing for actual OPSEC. The databases still exist. Google still logs your movement. Governments just buy the exact same data from commercial brokers now anyway, which bypasses the court entirely.

If you rely on foreign judicial decisions to protect your privacy, you have already lost. True autonomy requires local encryption and OS-level blocks. Are people actually changing their device configurations because of this ruling, or just celebrating a piece of paper?

reddit.com
u/EnthusiasmRoutine — 4 days ago

The mullvad / windscribe drama shows how few people actually understand threat modeling

I see the privacy subreddits losing their minds because Mullvad's co-founder donated to the Örebro Party. Now Windscribe is posting memes about dog rescues to farm cheap karma. Honestly, it is exhausting.

As a network admin who has walked away from previous employers for covering up actual state surveillance flaws, this outrage over a legal donation is ridiculous. I care about infrastructure, not culture wars. Does Sweden's shifting political climate threaten the legal jurisdiction of the servers long term? Maybe. That is a valid sovereign risk to calculate. But does a personal donation compromise the active WireGuard tunnels today? Absolutely not.

If you choose your encrypted routing based on whether a CEO is a "good person," your entire threat model is broken. This is cryptography, not a charity gala. Mullvad still has a solid no-logs architecture, anonymous accounts, and cash payments. Those technical realities protect your data.

Windscribe's PR stunt is just cheap marketing for the easily amused. If you are migrating your entire stack because of Swedish local politics, you are reacting on pure emotion. Stop treating utility tools like lifestyle brands.

reddit.com
u/EnthusiasmRoutine — 5 days ago
▲ 98 r/PrivacyToolbox+1 crossposts

The UK's proposed "VPN restrictions" to enforce the under-16 social media ban is a technical trainwreck in the making

Structurally, any government attempting to restrict VPN use to stop teenagers from scrolling TikTok is fighting against basic network mathematics. I manage network infrastructure for an SME. You cannot block or degrade consumer VPN protocols without also breaking the commercial IPsec and WireGuard tunnels that businesses rely on daily to operate.

If Liz Kendall pushes through these anti-circumvention mandates next month, the state has two choices. They can force ISPs to run invasive Deep Packet Inspection (DPI) to block handshake signatures, which is what authoritarian regimes do. Or, they can try to force app stores to geofence VPN downloads. Both are trivial to bypass. Anyone with a basic understanding of routing can set up a private VPS in Spain or France in five minutes and tunnel out via SSH.

This is security theatre designed by bureaucrats who do not understand how the OSI model works. They are sacrificing basic routing integrity and citizen privacy to solve a parenting issue. The UK is heading down a path where they either build a Western version of the Great Firewall or, more likely, pass a useless law that everyone under the age of 14 easily circumvents.

How are other network admins preparing for the inevitable routing mess this will cause if they actually try to enforce it?

reddit.com
u/EnthusiasmRoutine — 6 days ago
▲ 4 r/PrivacyToolbox+1 crossposts

Finally degoogled after a decade: full breakdown of my new stack

Been a Gmail user since 2014. Drive, Photos, Maps, Android, Chrome, the whole stack. I work in infra so I knew exactly what I was trading away the whole time, and I still kept paying the rent in personal data because the convenience was unbeatable.

Then last summer I spent a weekend pulling the takeout archive. Forty something gigs. I scrolled through location history from a trip I barely remembered and something just snapped. Not in an outraged way. More like seeing your bank statement and realizing you've been auto subscribed to something for six years.

So I migrated. Slowly, methodically, because doing it fast is how you lose stuff.

Email: moved to a paid provider running its own infra. Set up a catch all alias so every service gets a unique address. Already caught two leaks this way because spam came in on aliases I only ever gave to one company.

Files: self hosted Nextcloud on a small VPS for the stuff that needs sync, encrypted local backups for everything else. Nextcloud is fine, not amazing, but the apps are decent now and it does what I need.

Maps: Organic Maps for offline, plus a privacy respecting alternative for live traffic. Losing the restaurant reviews hurt more than I expected. Still adjusting.

Browser: Firefox with uBlock, containers, and a hardened user.js. Chrome is genuinely a brilliant browser. That's part of the problem.

DNS: pointed everything at a filtering resolver that blocks trackers at the network level. Caught my smart TV phoning home like 2000 times a day. Two thousand. For a TV I use maybe four hours a week.

VPN: this is the one I want to talk about because most posts get it wrong.

A VPN by itself doesn't make you private. What you're actually doing is moving traffic visibility from your ISP (legally required to log and often sell) over to a VPN provider (who claims they don't log). If that provider is sketchy or sits in a jurisdiction with mandatory data retention, you're worse off than before. Full stop. It is a trust transfer with extra steps.

So why use one at all. For me there are three real reasons. My ISP builds a profile of every domain I visit and sells it (not theoretical, look up the FCC reversal in 2017). Hostile networks like hotel wifi, airport wifi, that random coffee shop AP that asks for an email before letting you online. And geo bypass when I travel, which is the use case nobody admits to but everyone has.

What a VPN does not do is also worth being honest about. It does not hide you from sites you're already logged into. It does not stop browser fingerprinting. It does not make you anonymous (you want Tor for that, and even then it's complicated). And it does not protect you from malware sitting on your own machine.

How I actually picked one, after wading through way too many shilled "best VPN" listicles. I wanted an independently audited no log policy where the audit was recent and the report was publicly downloadable. RAM only servers, so state can't persist across a reboot or a seizure. A real company with a verifiable address and leadership, not a shell registered in some tax haven. WireGuard native, not some weird custom protocol they invented to sound proprietary. Two providers met all four. I picked the cheaper one.

I'm not naming it because every time someone does in these threads it turns into an ad and a flame war. The auditor reports are public PDFs. Read them yourself, it takes 30 minutes.

Total cost for the migration including VPS, email, and VPN: about 140 bucks a year. Time investment, maybe 20 hours spread over two months.

What I genuinely miss is Google Photos search. Typing "beach 2019" and it just works. Nothing else comes close yet and I'll admit that openly. What I don't miss is the creeping feeling that every search and every location and every email was being silently catalogued into a profile I'd never see.

Happy to answer questions on any piece of the stack. The hardest part isn't technical. It's accepting nothing will be quite as smooth as the walled garden you just walked out of.

reddit.com
u/EnthusiasmRoutine — 1 month ago