Continuous Improvement is nothing new. In the early nineties, total quality management (TQM) was all the rage. And even then, TQM was a re-visitation of techniques applied in preceding decades. Today, continuous improvement is embraced in nearly every development methodology. But whether from the “fifties” or the “twenties”, the message is still the same: any measurable improvement (whether in processes or in technologies) is the result of a systematic approach. This is true for software development. And it is true for continuous privacy improvements.
Privacy Is Threatened
With every wave of technology change, there have been concurrent improvements in determining what customers desire – and what they will “spend” in order to obtain something. At the same time, customers have become increasingly frustrated with corporate attempts to “anticipate” their “investment” habits. For example, the deployment of GPS and location technologies has allowed sellers to “reach” potential customers whenever those customers are physically near the point of sale. In short, when you got to the Magnificent Mile in Chicago, you’ll probably get adds for stores that are in your vicinity.
While some people find this exhilarating, many people find it frustrating. And some see these kinds of capabilities as demonstrative of a darker capability: the ability for those with capability to monitor and manage the larger populace. For some, the “sinister” people spying on them are corporations. For many, the “malevolent” forces that they fear are shadowy “hackers” that can steal (or have already stolen) both property and identity. And for a very small group of people, the powers that they fear most are governments and / or similar authorities. For everyone, the capability to monitor and influence behavior is real.
Surveillance And Exploitation Are Not New
Governments have tried to “watch” citizens – whether to protect them from threats or to “manage” them into predetermined behaviors. You can look at every society and see that there have always been areas of our life that we wish to keep private. And balanced against those desires are the desires of other people. So with every generation (and now with every technology change), the dance of “personal privacy” and “group management” is renewed.
As the technology used for surveillance has matured, the tools for ensuring privacy have also changed. And the methods for ensuring privacy today have drastically changed from the tools used even a few years ago. And if history is a good predictor of the future, then we can and should expect that we must continually sharpen our tools for privacy – even as our “adversaries” are sharpening their tools of surveillance. Bottom Line: The process of maintaining our privacy is subject to continuous threat and must be handled in a model akin to continuous process improvement. So let’s start accepting the need for continuous privacy improvement.
Tackling Your Adversaries – One At A Time
If you look at the state of surveillance, you probably are fatigued by the constant fight to maintain your privacy. I know that I am perpetually fatigued. Every time that you harden your defenses, new threats emerge. And the process of determining your threats and your risks seems to be never-ending. And in truth, it really is never-ending. So how do you tackle such a problem? I do it systematically.
As an academic (and lifetime) debater – as well as a trained enterprise architect – I continually assess the current state. That assessment involves the following activities:
- Specify what the situation is at the present moment.
- Assess the upsides and downsides of the current situation.
- Identify those things that are the root causes of the current situation.
- Outline what kind of future state (or target state) would be preferable.
- Determine the “gaps” between the current and future states.
- Develop a plan to address those gaps (and their underlying problems).
And there are many ways to build plans. Some folks love the total replacement model. And while this is feasible for some projects, it is rarely practical for our personal lives. [Note: There are times when threats do require a total transformation. But they are the exception and not the general rule.] Since privacy is such a fundamental part of our lives, we must recognize that changes to our privacy posture must be made incrementally – and continuously. Consequently, we must understand the big picture and then attack in small and continuous ways. In military terms, you want to avoid multi-front campaigns at all cost. Both Napoleon and Hitler eschewed this recommendation. And they lost accordingly.
My Current State – And My Problems
I embarked on my journey towards intentional privacy a few years ago. I’ve given dozens of talks about privacy and security to both IT teams and to personal acquaintances. And I’ve made it a point to chronicle my personal travails along my path to a more private life. But in order to improve, I needed to assess what I’ve done – and what remains to be done.
So here goes…
Over the past two years, I’ve switched my primary email provider. I’ve changed my search providers and my browsers – multiple times. And I’ve even switched from Windows to Linux. But my transformation has always been one step away from its completion.
The Next (to Last) Step: De-googling
This year, I decided to address the elephant in the room: I decided to take a radical step towards removing Google from my life. I’ve been using Google products for almost half of my professional life. Even though I knew that Google was one of the largest threat actors my ecosystem, I still held on to to a Google lifeline. Specifically, I was still using a phone based upon Google’s ecosystem. [Note: I did not say Android. Because Android is a Linux-oriented phone that Google bought and transformed into a vehicle for data collection and advertising delivery.]
I had retained my Google foothold because I had some key investments that I was unwilling to relinquish. The first of these was a Google Voice number that had been at the heart of my personal life (and my business identity). That number was coupled with my personal Google email identity. It was the anchor of hundreds of accounts. And it was in the address books of hundreds of friends, relatives, colleagues, customers, and potential customers.
Nevertheless, the advantages of keeping a personal Google account were finally outweighed by my firm realization that Google wasn’t giving me an account for free; Google was “giving” me an account to optimize their advertising delivery. Or stated differently, I was willing to sell unfettered access to myself as long as I didn’t mind relinquishing any right to privacy. And after over fifteen years with the same account, I was finally ready to reclaim my right to privacy.
Too Many Options Can Lead To Inaction
I had already taken some steps to eliminate much of the Google stranglehold on my identity. But they still had the lynch pins:
- I still had a personal Google account, and
- Google had unfettered access to my mobile computing platform.
So I had to break the connection from myself to my phone. I carefully considered the options that were available to me.
- I could switch to an iPhone. Without getting too detailed, I rejected this option as it was simply trading one master for another one. Yes, I had reason to believe that Apple was “less” invasive than Google. But Google was “less” invasive at one point in time. So I rejected trading one for another.
- I could install a different version of Android on my current phone. While I have done this in the past, I was not able to do this with my current phone. I had bought a Samsung Galaxy S8+ three years ago. And when I left Sprint for the second time (due to the impending merger), I kept the phone. But this phone was based upon the Qualcomm SnapDragon 855. Consequently, the phone had a locked bootloader. And Qualcomm has never relented and unlocked the bootloader. So I cannot flash a new ROM (like LineageOS) on this phone.
- I could install a different version of Android on a new phone. This option had some merit – at the cost of purchasing new phone hardware. I could certainly buy a new (or used) phone that would support GraphenOS or LineageOS. But during these austere times (when consulting contracts are sparse), I will not relinquish any coin of the realm to buy back my privacy. And buying a Pixel sounds more like paying a ransomware demand that buying something of value.
- I could take what I had and live with it. Yes, this is the default option. And while I diddled with comparisons, this WAS what I did for over a year. After all, it fell into the adage that if it isn’t broken, then why fix it? But such defaults never last – at least, not for me.
- I could use the current phone and take the incremental next step in using a phone with a locked bootloader: I could eliminate the Google bits by eliminating the Google account and by uninstalling (and/or disabling) Google, Samsung, and T-Mobile apps using the Android Debug Bridge (a.k.a., adb).
I had previously decided to de-google my phone before my birthday (in July). So once Independence Day came and went, I got serious about de-googling my phone.
The Road Less Taken
Of all of the options available to me, I landed on the one that cost the least amount of my money but required the most investment of my personal time. So I researched many different lists of Google apps (and frameworks) on the Samsung Galaxy S8+. I first disabled the apps that I had identified. Then I used a tool available on the Google Play Store called Package Disabler Pro. I have used this before. So I used it again to identify those apps that I could readily disable. By doing this, I could determine the full impact of deleted some of these packages – before I actually deleted them. Once I had developed a good list and had validated that the phone would still operate, I made my first attempt.
And as expected, I ran into a few problems. Some of them were unexpected. But most of them were totally expected. Specifically, Google embeds some very good technology in the Google Play Services (gms) and Google Services Framework (gsf). And when you disable / delete these tools, a lot of apps just won’t work completely. This is especially true with notifications.
I also found out that there were some key multimedia messaging services (MMS) capabilities that I was using without realizing it. So when I deleted these MMS tools, I had trouble with some of my routine multi-recipient messages. I solved this by simply re-installing those pieces of software. [Note: If that had not worked, then I was ready to re-flash to a baseline T-Mobile ROM. So I had multiple fallback plans. Fortunately, the re-installation solved the biggest problem.]
Bottom Line
After planning for the eventual elimination of my Google dependence, I finally took the necessary last step towards a more private life; I successfully de-googled my phone – and my personal life. Do I still have some interaction with Google? Of course I do. But those interactions are far less substantial, far more manageable, and far more private. At the same time, I have eliminated a large number of Samsung and T-Mobile tracking tools. So my continuous privacy improvement process (i.e., my intentional privacy improvements) has resulted in a more desirable collaboration between myself and my technology partners.