WEBVTT 1 00:00:00.080 --> 00:00:02.279 You know that feeling right when your phone seems just 2 00:00:02.799 --> 00:00:03.759 a little too smart. 3 00:00:04.000 --> 00:00:05.919 Yeah, like you mentioned something out loud. 4 00:00:05.759 --> 00:00:08.839 Exactly like needing new running shoes, and bam, suddenly every 5 00:00:08.839 --> 00:00:10.240 ad you see is for sneakers. 6 00:00:10.240 --> 00:00:11.800 It makes you really stop and think. 7 00:00:11.679 --> 00:00:14.759 It really does. Just how much of these things tracking us? 8 00:00:14.839 --> 00:00:19.000 It's a totally legitimate concern. I mean, our phones, they're 9 00:00:19.039 --> 00:00:23.800 basically pocket sized data collection machines, always sending out info 10 00:00:23.879 --> 00:00:25.800 about where we are, what apps. 11 00:00:25.440 --> 00:00:27.519 We use, our web activity, all of it. 12 00:00:27.760 --> 00:00:32.200 Yeah, and the big tech companies they use this stuff extensively. 13 00:00:31.760 --> 00:00:35.359 Which brings us right to today's deep dive. We're talking 14 00:00:35.600 --> 00:00:39.439 extreme privacy for mobile devices. We're going to really get 15 00:00:39.479 --> 00:00:42.560 into the strategies to lock down your phone, drawing heavily 16 00:00:42.600 --> 00:00:46.280 on Michael Bizell's work, specifically a document he put together on. 17 00:00:46.200 --> 00:00:49.960 This, and Bizell, well, he knows his stuff comes from 18 00:00:50.240 --> 00:00:54.200 years working cybercrime with the FBI. Plus he's huge in 19 00:00:54.200 --> 00:00:57.359 the ocent world, open source intelligence and just you know, 20 00:00:57.399 --> 00:00:59.320 building really solid privacy plans. 21 00:00:59.560 --> 00:01:02.399 You might know his book Extreme Privacy, which is like 22 00:01:02.920 --> 00:01:05.959 the bible for this stuff, or maybe even from mister Robot. 23 00:01:06.040 --> 00:01:07.840 He was a tech advisor for the first season. 24 00:01:08.120 --> 00:01:11.120 Yeah, he helped make that show feel really authentic about 25 00:01:11.159 --> 00:01:11.959 tech anxiety. 26 00:01:12.280 --> 00:01:14.400 So this document we're looking at today, it's kind of 27 00:01:14.439 --> 00:01:16.599 a focused add on to his main work, just for 28 00:01:16.680 --> 00:01:17.959 phones exactly. 29 00:01:18.079 --> 00:01:20.319 So our goal here is to pull out Bizell's key 30 00:01:20.359 --> 00:01:24.519 advice for setting up a mobile device that's well truly 31 00:01:24.560 --> 00:01:25.560 private and secure. 32 00:01:25.680 --> 00:01:29.640 We'll look at cutting down location tracking, limiting what Apple 33 00:01:29.719 --> 00:01:31.359 and Google scoop. 34 00:01:31.079 --> 00:01:34.560 Up, and just generally reducing how exposed you might be. 35 00:01:34.760 --> 00:01:38.040 Okay, but let's set the stage here. Bizell is super 36 00:01:38.079 --> 00:01:43.400 clear this level of privacy it's not about convenience. 37 00:01:42.920 --> 00:01:45.120 Oh, definitely not. There are trade offs. This is for 38 00:01:45.159 --> 00:01:48.200 people who are really serious about shrinking their digital footprint 39 00:01:48.280 --> 00:01:48.719 on mobile. 40 00:01:48.799 --> 00:01:51.159 So it's not your average user setup. 41 00:01:50.879 --> 00:01:53.079 Not at all. Yeah. But even if you don't think 42 00:01:53.159 --> 00:01:57.079 you're like a high risk target or anything, understanding these methods, 43 00:01:57.159 --> 00:01:59.840 it gives you incredible insight into just how much data 44 00:02:00.040 --> 00:02:01.120 these devices. 45 00:02:00.680 --> 00:02:03.239 Handle and what's actually possible if you want to take 46 00:02:03.280 --> 00:02:04.879 back some control exactly. 47 00:02:05.040 --> 00:02:06.439 It's valuable knowledge either way. 48 00:02:06.879 --> 00:02:10.879 Okay, let's dive in then, extreme mobile privacy. Where does 49 00:02:10.919 --> 00:02:14.159 Bizell say we start? It feels like it has to 50 00:02:14.199 --> 00:02:16.879 begin with the phone itself right, getting it privately. 51 00:02:17.159 --> 00:02:21.560 That's precisely it. The absolute foundation is breaking any link 52 00:02:21.639 --> 00:02:24.800 between the new device and you right from the get go. 53 00:02:25.080 --> 00:02:25.960 So how do we do that? 54 00:02:26.080 --> 00:02:30.319 Bezell's main recommendation buy it new, pay with cash at 55 00:02:30.360 --> 00:02:33.840 an actual store, a physical retail store, ah okay. 56 00:02:34.039 --> 00:02:37.479 Avoids the credit card trail, the online order history. 57 00:02:37.280 --> 00:02:39.319 Exactly, no digital breadcrumbs. 58 00:02:39.360 --> 00:02:42.400 He even talks about using a nominee someone else to 59 00:02:42.439 --> 00:02:44.960 buy it for you. That sounds intense. 60 00:02:45.120 --> 00:02:46.960 It really does show the level some people might need 61 00:02:47.000 --> 00:02:48.360 to go to, you know, if they're in a really 62 00:02:48.439 --> 00:02:49.400 high risk situation. 63 00:02:49.560 --> 00:02:51.879 But for most people, just trying to up their privacy game, 64 00:02:52.000 --> 00:02:54.960 cash in person is a huge first step, the huge step. 65 00:02:55.159 --> 00:02:58.280 And Bazill also warns pretty strongly against buying used phones. 66 00:02:58.599 --> 00:02:59.759 What's the thinking there. 67 00:02:59.680 --> 00:03:02.520 Well, I guess the obvious stuff could be stolen, could 68 00:03:02.560 --> 00:03:04.240 be locked to an old account, or. 69 00:03:04.240 --> 00:03:06.280 Still have data from the last person on there. Yeah, 70 00:03:06.400 --> 00:03:08.759 Plus that phone already has a history tied to someone. 71 00:03:08.520 --> 00:03:11.800 Else, right, Factory reset doesn't just wipe its. 72 00:03:11.639 --> 00:03:15.520 Past life, not entirely, And Bazill points out even if 73 00:03:15.520 --> 00:03:19.159 you try buying online with like fake names. 74 00:03:19.000 --> 00:03:20.360 Or whatever, still leaves cracks. 75 00:03:20.439 --> 00:03:23.159 Yeah, there's still a shipping address, some kind of payment, 76 00:03:23.800 --> 00:03:26.680 unique device ideas the seller locks a face to face 77 00:03:26.719 --> 00:03:29.400 cash purchase. That's the cleanest break you can get. 78 00:03:29.680 --> 00:03:32.960 All right, So we've got our anonymously bought brand new phone. 79 00:03:33.319 --> 00:03:36.120 That's the next big layer for privacy. It's got to 80 00:03:36.159 --> 00:03:37.240 be the operating. 81 00:03:36.840 --> 00:03:41.080 System, absolutely critical. And the key thing to grasp here 82 00:03:41.240 --> 00:03:45.000 is that both major players iOS and standard Android, they 83 00:03:45.039 --> 00:03:46.960 collect a ton of user data. 84 00:03:47.639 --> 00:03:50.400 People often say iOS is more private out of the box. 85 00:03:50.360 --> 00:03:53.039 And in some ways maybe it's default security settings are 86 00:03:53.080 --> 00:03:56.199 tighter than some Android versions. But bizeld point is when 87 00:03:56.240 --> 00:03:59.120 it comes to data collection, both Apple and Google are 88 00:03:59.120 --> 00:03:59.879 doing it a lot. 89 00:04:00.120 --> 00:04:03.280 It. He actually says he thinks Apple's constant data transmissions 90 00:04:03.319 --> 00:04:04.759 are just as bad as Google's. 91 00:04:04.759 --> 00:04:06.919 That's quite a statement, it is, and it's why he 92 00:04:07.039 --> 00:04:10.960 pushes hard for using a custom ungoogled Android version as 93 00:04:11.000 --> 00:04:12.639 the way to go for serious privacy. 94 00:04:12.680 --> 00:04:14.159 And his top pick is Graffinios. 95 00:04:14.240 --> 00:04:14.759 Raffinius. 96 00:04:14.840 --> 00:04:18.800 Yeah yeah, So for people maybe not familiar, what is Graphenios? 97 00:04:18.920 --> 00:04:19.839 What makes it different? 98 00:04:20.120 --> 00:04:23.399 Okay, so the main idea behind Graphenius is just stripping 99 00:04:23.399 --> 00:04:27.439 things down, cutting out potential ways it could be attacked or. 100 00:04:27.680 --> 00:04:31.120 Leak your data, minimizing the attack surface and data leakage. 101 00:04:31.519 --> 00:04:32.040 Got it. 102 00:04:32.040 --> 00:04:36.399 It's open source, built on Android, but really redesigned with 103 00:04:36.519 --> 00:04:40.519 privacy and security baked in from the start. Bizelle flags 104 00:04:40.519 --> 00:04:43.720 a few key things like what well it enforces a 105 00:04:43.759 --> 00:04:47.240 locked bootloader. That's a big security win. Stops people messing 106 00:04:47.240 --> 00:04:48.480 with the core system easily. 107 00:04:48.560 --> 00:04:49.920 Okay, that makes sense. 108 00:04:49.639 --> 00:04:51.839 And it gives you the option. It's optional to run 109 00:04:51.920 --> 00:04:53.560 Google Play services, but. 110 00:04:53.720 --> 00:04:56.839 Sandboxed sandboxed, what does that mean? In practice? 111 00:04:56.920 --> 00:04:59.720 It means they're walled off. They have very limited access 112 00:04:59.759 --> 00:05:01.319 to the to your phone in data. 113 00:05:01.360 --> 00:05:04.199 Ah. Okay, so you could still get notifications maybe from 114 00:05:04.279 --> 00:05:07.199 apps that need Google stuff exactly, but. 115 00:05:07.319 --> 00:05:11.680 It's contained and crucially, Graphenios doesn't need things like MicroG 116 00:05:12.120 --> 00:05:13.519 to handle those notifications. 117 00:05:13.720 --> 00:05:16.480 That sandbox Google Services thing sounds like a pretty big 118 00:05:16.519 --> 00:05:17.639 deal for usability. 119 00:05:17.800 --> 00:05:21.360 It's a major feature. It dramatically cuts down what data 120 00:05:21.399 --> 00:05:24.279 Google Services can actually see and Phone Home about. 121 00:05:24.160 --> 00:05:26.399 So it limits Google's view right. 122 00:05:26.600 --> 00:05:30.839 And Bazell also notes, look, while he focuses on Graphenios, 123 00:05:31.120 --> 00:05:34.240 a lot of these privacy ideas apply to other custom 124 00:05:34.360 --> 00:05:36.839 de googled Android ROMs to and he. 125 00:05:36.920 --> 00:05:40.399 Mentions buying unlocked phones. Why is that so crucial here? 126 00:05:40.519 --> 00:05:43.399 Freedom? Simple as that an unlocked phone means you can 127 00:05:43.519 --> 00:05:46.319 use any cell carrier you want, all right, And as 128 00:05:46.360 --> 00:05:49.639 we'll get into later, Bizell's strategies for private cell service 129 00:05:49.759 --> 00:05:53.680 often involve switching carriers or using specific plan types. You 130 00:05:53.720 --> 00:05:55.639 need an unlocked phone for that flexibility. 131 00:05:55.720 --> 00:06:00.000 Okay, unlocked new phone acquired privately. Now the slightly skilled 132 00:06:00.279 --> 00:06:04.199 part for some Yeah, installing Graphenios. This isn't like just 133 00:06:04.279 --> 00:06:05.480 downloading an app. 134 00:06:05.360 --> 00:06:08.920 No, definitely not. You're basically replacing the phone's entire original 135 00:06:08.959 --> 00:06:09.920 brain with Graphenio. 136 00:06:09.920 --> 00:06:11.720 As to how's it done, Bizell walks through it for 137 00:06:11.759 --> 00:06:12.439 Pixel phones. 138 00:06:12.560 --> 00:06:16.000 Yeah, He focuses on compatible Google Pixel devices. First, you 139 00:06:16.040 --> 00:06:18.199 have to prep the phone, unlock the OEM setting, and 140 00:06:18.240 --> 00:06:22.439 turn on USB debugging. He mentions he's covered this before elsewhere. 141 00:06:22.199 --> 00:06:24.560 And he gives a couple of ways to do the 142 00:06:24.600 --> 00:06:27.519 actual install starting with a web based method. 143 00:06:27.680 --> 00:06:30.800 Right, the web installer that's designed to make it easier, 144 00:06:31.040 --> 00:06:31.800 more accessible. 145 00:06:31.879 --> 00:06:32.680 How does that work? 146 00:06:33.000 --> 00:06:36.319 You use a web browser? He suggests a chromium based 147 00:06:36.319 --> 00:06:38.639 one like Brave, which is more private than chrome itself, 148 00:06:39.199 --> 00:06:42.040 connect the phone to your computer, and the Graphenis website 149 00:06:42.079 --> 00:06:43.079 basically walks you through it. 150 00:06:43.199 --> 00:06:44.360 Okay, what are the steps? 151 00:06:44.680 --> 00:06:48.279 Roughly, you boot the phone into what's called bootloader mode, 152 00:06:48.959 --> 00:06:51.279 plug it into the computer. On the website, there's a 153 00:06:51.279 --> 00:06:55.480 button click that it unlocks the bootloader. Temporarily confirm it 154 00:06:55.519 --> 00:06:59.199 on the phone. Right Then the installer downloads graphingios, flashes 155 00:06:59.240 --> 00:07:01.839 it onto the phone. That's the install part, and then 156 00:07:02.000 --> 00:07:05.240 crucially use the web tool again to relock the bootloader. 157 00:07:05.279 --> 00:07:07.360 Relocking is important for security. 158 00:07:06.959 --> 00:07:10.480 Absolutely essential. Then the phone reboots and boom, you're running 159 00:07:10.439 --> 00:07:11.160 Graphy in THEOS. 160 00:07:11.319 --> 00:07:14.160 He also mentions doing it via command line Yeah. 161 00:07:14.199 --> 00:07:17.199 For the more technically adventurous, yeah, gives you more control, 162 00:07:17.360 --> 00:07:19.839 but you need to be comfortable with Android command line 163 00:07:19.839 --> 00:07:23.480 tools like fast boots. The web installer is way easier 164 00:07:23.480 --> 00:07:24.199 for most people. 165 00:07:24.439 --> 00:07:27.879 And once Graphius is up and running, any immediate next 166 00:07:27.879 --> 00:07:28.959 steps for security? 167 00:07:29.160 --> 00:07:32.439 Yes, definitely go straight into settings and turn off OEM 168 00:07:32.519 --> 00:07:35.199 unlocking and developer options. You needed them for the install, 169 00:07:35.279 --> 00:07:36.959 but leaving them on is a security risk. 170 00:07:37.000 --> 00:07:40.000 Got it Okay? Fresh GRAFANIOS install. He says it's private 171 00:07:40.040 --> 00:07:43.279 by default, but are there things we should tweak right away. 172 00:07:43.519 --> 00:07:46.079 Yeah, it's a great starting point, but Bizell does point 173 00:07:46.120 --> 00:07:49.319 out some useful adjustments. One really neat feature is the 174 00:07:49.399 --> 00:07:51.560 quick settings toggles for the microphone and camera. 175 00:07:51.720 --> 00:07:54.040 Oh like quick kill switches exactly. 176 00:07:54.120 --> 00:07:57.680 Software kill switches lets you instantly block access. 177 00:07:57.720 --> 00:08:00.319 Super handy day to day, but it's software, not a 178 00:08:00.360 --> 00:08:01.560 physical block. 179 00:08:01.439 --> 00:08:05.439 Right, important distinction. Good for everyday use, but maybe not 180 00:08:05.560 --> 00:08:08.920 fool proof if you need absolute certainty. He also suggests 181 00:08:08.959 --> 00:08:11.600 doing the initial device setup while you're on Wi Fi. 182 00:08:11.879 --> 00:08:14.160 Wi Fi not cellular data. 183 00:08:14.279 --> 00:08:16.800 Why well, during setup, the phone's doing a lot of 184 00:08:16.839 --> 00:08:20.879 initial communication checking for updates. Connecting to servers using a 185 00:08:20.879 --> 00:08:24.399 trusted Wi Fi network is just a more controlled environment. 186 00:08:24.160 --> 00:08:26.600 And ideally behind a VPN, even. 187 00:08:26.399 --> 00:08:29.920 On Wi Fi, that's the extreme measure. Yeah, it masks 188 00:08:29.959 --> 00:08:33.879 your IP and encrypts everything during that sensitive phase, but 189 00:08:34.039 --> 00:08:37.559 he concedes for some just using your home Wi Fi 190 00:08:37.759 --> 00:08:38.440 might be okay. 191 00:08:38.639 --> 00:08:40.759 He also mentions a couple of other optional things. 192 00:08:40.879 --> 00:08:43.000 Yeah, like setting the screen to grayscale if you want 193 00:08:43.000 --> 00:08:46.240 fewer distractions, or switching back to the old three button 194 00:08:46.279 --> 00:08:49.679 navigation if you prefer it. A little usability tweaks. 195 00:08:49.360 --> 00:08:53.919 Okay, Browsing that's a big one for privacy. Graffinios comes 196 00:08:53.919 --> 00:08:55.480 with its own browser, Vanadium. 197 00:08:55.559 --> 00:08:59.039 Right, Vanadium, it's built on chromium but hardened for privacy. 198 00:08:59.440 --> 00:09:01.519 What do we need to know about using it privately? 199 00:09:02.000 --> 00:09:04.480 The main thing Bazell points out is, unlike some other 200 00:09:04.519 --> 00:09:08.759 privacy browsers, Vanadium doesn't automatically wipe your history in cookies 201 00:09:08.799 --> 00:09:09.440 when you close it. 202 00:09:09.759 --> 00:09:13.360 Ah, so you need to clean up after yourself manually exactly. 203 00:09:13.759 --> 00:09:17.360 He advises going into settings periodically and clearing browsing data 204 00:09:17.720 --> 00:09:20.279 to help minimize what it keeps. You can turn on 205 00:09:20.320 --> 00:09:24.240 settings like closed tabs on exit and maybe open external 206 00:09:24.279 --> 00:09:25.840 links in incognito mode. 207 00:09:25.960 --> 00:09:27.559 Okay, makes sense, Keep it tidy. 208 00:09:27.720 --> 00:09:30.159 Yeah. He also gives a quick nod to checking the 209 00:09:30.200 --> 00:09:33.200 camera app settings, just making sure they're figured how you want. 210 00:09:33.440 --> 00:09:36.960 Contacts another big data source usually sync straight to Google 211 00:09:37.039 --> 00:09:40.159 or Apple. What's the Bizell way to handle contacts on 212 00:09:40.200 --> 00:09:41.960 Grafinios without the cloud? 213 00:09:42.240 --> 00:09:45.399 The whole idea is just keep your contacts off those 214 00:09:45.399 --> 00:09:48.440 big cloud servers, completely under your control. 215 00:09:48.320 --> 00:09:50.000 So no sinking. How does it work? 216 00:09:50.039 --> 00:09:53.320 Then it's a manual process. He suggests keeping your master 217 00:09:53.440 --> 00:09:57.000 contact list on an encrypted computer, ideally Linux. Then you 218 00:09:57.039 --> 00:09:58.600 export them as a VCF file. 219 00:09:58.879 --> 00:10:01.840 VCF like a standard contact file format exactly. 220 00:10:01.919 --> 00:10:05.039 You export from your computer, copy the VCF file to 221 00:10:05.159 --> 00:10:08.559 your pixel using a USB cable, and then import it 222 00:10:08.600 --> 00:10:12.440 into the basic contact app that comes with Grafiniosh sounds a. 223 00:10:12.399 --> 00:10:14.039 Bit more involved than automatic sinco. 224 00:10:14.200 --> 00:10:17.440 It definitely has. It requires delibered action. He suggests maybe 225 00:10:17.480 --> 00:10:20.480 doing it monthly. But the payoff is your contact list 226 00:10:20.519 --> 00:10:22.519 never touches Googles or Apple servers. 227 00:10:22.600 --> 00:10:24.879 And you could get that vcfile from other places too, 228 00:10:25.080 --> 00:10:25.919 like proton mail. 229 00:10:26.000 --> 00:10:28.080 Yeah, if you manage contacts there, you can export a 230 00:10:28.159 --> 00:10:29.799 VCF from services like that as well. 231 00:10:29.879 --> 00:10:32.759 Okay, device is set up, contacts are handled locally. Let's 232 00:10:32.799 --> 00:10:36.480 talk network level stuff. Zell recommends next DNS. What is 233 00:10:36.519 --> 00:10:38.159 that and how does it boost privacy? 234 00:10:38.440 --> 00:10:41.080 So think of DNS as the Internet's phone book. It 235 00:10:41.120 --> 00:10:44.919 turns website names like Google dot Com into IP addresses 236 00:10:44.960 --> 00:10:48.440 your device can connect to. Right Normally, your internet provider 237 00:10:48.519 --> 00:10:51.720 or mobile carrier handles those lookups and they can log everything. 238 00:10:52.080 --> 00:10:54.639 Next dns is a private DNS service you can tell 239 00:10:54.679 --> 00:10:56.440 grafenios to use instead. 240 00:10:56.320 --> 00:10:59.679 So you bypass your ISPSDNS. What's the advantage to. 241 00:11:00.200 --> 00:11:03.440 Ones First, next DNS can log all the connections your 242 00:11:03.440 --> 00:11:04.600 phone tries to make you get. 243 00:11:04.559 --> 00:11:06.960 Visibility, see where your data's going exactly. 244 00:11:07.279 --> 00:11:10.200 And second, even better, you can set up blocklists. Tell 245 00:11:10.240 --> 00:11:13.840 NEXTDNS don't let my phone connect to these known ad servers, 246 00:11:13.879 --> 00:11:16.519 these tracking domains, these malware sites. 247 00:11:16.240 --> 00:11:18.320 Whoh okay. So it's like a filter for the whole 248 00:11:18.320 --> 00:11:20.399 phone's Internet access at the DNS level. 249 00:11:20.480 --> 00:11:24.879 Precisely, he specifically suggests enabling the main next DNS ads 250 00:11:24.879 --> 00:11:28.080 and trackers blocklist. It stops a lot of unwonded stuff 251 00:11:28.120 --> 00:11:29.519 before the connection even happens. 252 00:11:29.600 --> 00:11:31.720 What if it blocks something I actually need, like a 253 00:11:31.759 --> 00:11:33.279 banking app stops working. 254 00:11:33.279 --> 00:11:37.759 Good question. It can happen occasionally. Bazell's advice is simple, 255 00:11:38.200 --> 00:11:42.200 temporarily switch the phone's private DNS setting back to automatic. 256 00:11:42.879 --> 00:11:45.679 If the app works again, you know next DNS was 257 00:11:45.679 --> 00:11:48.759 blocking something, and you check the logs. Yep, go into 258 00:11:48.799 --> 00:11:51.440 your next DS logs, figure out which domain got blocked, 259 00:11:51.519 --> 00:11:53.480 and you can add it to an allow list if needed. 260 00:11:53.840 --> 00:11:56.200 Or if you see an app constantly calling home to 261 00:11:56.240 --> 00:11:59.919 some sketchy domain, you can add that domain to your denialist. 262 00:12:00.720 --> 00:12:02.200 Very granular control. 263 00:12:02.600 --> 00:12:04.440 And you can turn off a logging in next DNS 264 00:12:04.480 --> 00:12:07.240 itself eventually for max privacy. 265 00:12:06.919 --> 00:12:08.960 Right, once you get your blockless dialed, and you can 266 00:12:09.039 --> 00:12:12.679 disable logging entirely in your next DNS account settings or 267 00:12:12.919 --> 00:12:15.320 just clear the logs whenever you want. He also shows 268 00:12:15.320 --> 00:12:17.799 how to double check that your phone is actually routing through. 269 00:12:17.600 --> 00:12:21.759 Next DNS notifications. They seem harmless, but they mean constant 270 00:12:21.799 --> 00:12:25.240 pings back to app servers. Right. What's the extreme privacy 271 00:12:25.320 --> 00:12:25.799 take here. 272 00:12:25.919 --> 00:12:28.759 It's that classic privacy versus convenience trade off turning off 273 00:12:28.840 --> 00:12:33.000 push notifications. Definitely more private apps aren't constantly checking in. 274 00:12:33.039 --> 00:12:35.679 You only get updates when you actively open the app. 275 00:12:35.759 --> 00:12:38.320 Plus better battery life probably often. 276 00:12:38.159 --> 00:12:40.919 Yeah, but you lose the instant alerts. You have to 277 00:12:40.919 --> 00:12:43.399 be more intentional about checking things. 278 00:12:44.039 --> 00:12:46.600 He mentioned. Some apps like Totonota and Signal have their 279 00:12:46.639 --> 00:12:47.960 own notification methods. 280 00:12:48.080 --> 00:12:51.679 Right. Some privacy focus apps try to handle notifications themselves, 281 00:12:51.799 --> 00:12:56.480 avoiding Google system to to Noda Signal do this, but 282 00:12:56.600 --> 00:13:00.159 as Bazell notes, sometimes that can actually drain more battery 283 00:13:00.360 --> 00:13:02.600 because the app has to keep its own connection. 284 00:13:02.320 --> 00:13:05.919 Open, and some VIP apps only work when they're open. 285 00:13:06.000 --> 00:13:08.799 Yeah, things like Sypnetic or my Pseudo might only ring 286 00:13:08.919 --> 00:13:10.919 for incoming calls that the app is actually running in 287 00:13:10.919 --> 00:13:14.639 the foreground. So a totally Google free setup might mean 288 00:13:14.720 --> 00:13:16.919 you miss stuff unless you're checking actively. 289 00:13:16.960 --> 00:13:18.840 It seems like you really have to want that level 290 00:13:18.840 --> 00:13:20.159 of disconnect. 291 00:13:19.639 --> 00:13:24.159 You do, which leads to the compromise. Bizelle discusses Graffinius 292 00:13:24.240 --> 00:13:26.600 is sandboxed Google Play services for push. 293 00:13:26.879 --> 00:13:31.159 Ah, the sandboxed option again, how does that help with notifications? 294 00:13:31.200 --> 00:13:33.559 It lets you get notifications from apps that depend on 295 00:13:33.600 --> 00:13:36.679 Google system, but without needing a full Google account logged 296 00:13:36.720 --> 00:13:39.480 in on your phone, and it restricts what Google can see. 297 00:13:39.519 --> 00:13:40.320 How restricted? 298 00:13:40.559 --> 00:13:42.879 Well, Google might know that an app is sending a 299 00:13:42.919 --> 00:13:46.600 notification via their service, but they shouldn't see the content 300 00:13:46.639 --> 00:13:50.519 of the notification. It's encrypted, and since you're not logged in, 301 00:13:50.720 --> 00:13:53.159 it's harder for them to tie that activity directly back 302 00:13:53.200 --> 00:13:53.399 to you. 303 00:13:53.600 --> 00:13:55.559 Okay, so it's a middle ground exactly. 304 00:13:56.279 --> 00:14:00.480 Bazel himself prefers no Push services for ultimate privacy, but 305 00:14:00.559 --> 00:14:06.200 he admits most Graphinios users enable the sandboxed version because frankly, 306 00:14:06.320 --> 00:14:08.720 it makes the phone much more practical for daily use. 307 00:14:08.919 --> 00:14:10.919 If you do want to use it, should you install 308 00:14:10.960 --> 00:14:11.840 it before your apps? 309 00:14:11.919 --> 00:14:15.960 Yes, that's the recommendation install the sandbox play services first, 310 00:14:16.279 --> 00:14:19.159 then install the apps that need it. He walks through 311 00:14:19.159 --> 00:14:22.440 how to install the necessary components and importantly, how you 312 00:14:22.440 --> 00:14:24.759 can always uninstall them later if you change your mind, 313 00:14:25.240 --> 00:14:27.720 Plus how to manage notification permissions per app? 314 00:14:27.759 --> 00:14:31.759 Of course, right, Okay, os is set up, network is filtered, 315 00:14:31.919 --> 00:14:35.559 notifications handled. We need apps. The regular Google play store 316 00:14:35.600 --> 00:14:38.440 is out. If we're avoiding Google, how do we install 317 00:14:38.480 --> 00:14:40.519 apps privately on graphinios. 318 00:14:40.679 --> 00:14:42.360 Yeah, this is a key challenge. The goal is to 319 00:14:42.399 --> 00:14:45.480 get apps without feeding data directly back to Google via 320 00:14:45.519 --> 00:14:48.799 the playstore. Bizell mentions Aurora Store first. 321 00:14:48.840 --> 00:14:51.720 Aurorer Store. That's like an anonymous front end for the 322 00:14:51.720 --> 00:14:52.960 playstore exactly. 323 00:14:53.159 --> 00:14:55.759 It tries to fetch you apps anonymously, but he notes 324 00:14:55.799 --> 00:14:58.919 it can be buggy sometimes have connection issues. So he 325 00:14:59.000 --> 00:15:01.960 lays out a kind of highhierarchy of methods from best 326 00:15:01.960 --> 00:15:05.559 to worst privacy wise. What's the order best option? First? 327 00:15:06.480 --> 00:15:10.200 F droid that's a repository specifically for free and open 328 00:15:10.200 --> 00:15:13.360 source software FOSS. If the app you want is on 329 00:15:13.559 --> 00:15:14.639 f droid, get. 330 00:15:14.480 --> 00:15:15.919 It there, Okay, f droid first. 331 00:15:16.360 --> 00:15:19.879 If it's not there, then try Aurora Store first. Attempt 332 00:15:19.879 --> 00:15:21.559 to use its built in anonymous log in. 333 00:15:21.639 --> 00:15:24.440 See if that works, and if the anonymous login fails. 334 00:15:24.200 --> 00:15:27.200 Then reluctantly you might need to log into Aurora Store 335 00:15:27.279 --> 00:15:30.080 using a burner Google account when you created just for 336 00:15:30.120 --> 00:15:32.440 this with no real info tide to it and saw 337 00:15:32.480 --> 00:15:34.440 the apps you need, then log out of the burner 338 00:15:34.480 --> 00:15:36.039 account and Aurora immediately. 339 00:15:36.200 --> 00:15:38.679 Still better than using your main Google account. 340 00:15:38.519 --> 00:15:42.000 Much better, And the absolute last resort if none of 341 00:15:42.000 --> 00:15:45.480 that works is manually finding and downloading the APK file 342 00:15:45.519 --> 00:15:48.200 for the app from a trusted third party source like 343 00:15:48.279 --> 00:15:51.879 APK miror or APK Pure, but that requires careful vetting 344 00:15:51.960 --> 00:15:52.399 of the source. 345 00:15:52.519 --> 00:15:55.960 So the preference is clearly f Droid, then Aurora anonymous, 346 00:15:56.000 --> 00:15:58.480 then Aurora Burner, then manual APKs. 347 00:15:58.720 --> 00:16:02.279 That's the flow, and he stresses keep froid and Aurora 348 00:16:02.440 --> 00:16:06.759 store themselves updated, preferably manually checking for updates rather than 349 00:16:06.840 --> 00:16:09.279 letting them auto update, just for more control. 350 00:16:09.399 --> 00:16:12.080 He acknowledges there's some debate about fdroid and Aurora. 351 00:16:12.279 --> 00:16:15.200 Yeah, within the privacy community. There are always discussions about 352 00:16:15.200 --> 00:16:20.000 trust and potential risks, but Bizell's take is basically they're flawed, 353 00:16:20.159 --> 00:16:23.480 but still vastly better privacy wise than using the official 354 00:16:23.519 --> 00:16:26.039 Google Play Store logged in with your real account. His 355 00:16:26.080 --> 00:16:29.759 advice is simple, only install apps you really need and trust. 356 00:16:29.559 --> 00:16:33.000 Okay apps are installed. We talked about next DNS blocking domains. 357 00:16:33.039 --> 00:16:35.480 Can we use that to block trackers within specific apps? 358 00:16:35.639 --> 00:16:37.559 He mentioned Blockingbrais dot com. 359 00:16:37.639 --> 00:16:41.840 Yes. Absolutely, This is where next DNS becomes really powerful 360 00:16:41.879 --> 00:16:45.039 for app privacy. You use the next DNS logs to 361 00:16:45.120 --> 00:16:47.080 watch what connections your apps are making in the. 362 00:16:47.039 --> 00:16:49.759 Background, like spying on your own apps kind of. 363 00:16:49.840 --> 00:16:52.320 Yeah. So you install an app, use it a bit, 364 00:16:52.720 --> 00:16:55.279 then check your next DNS logs if you see it 365 00:16:55.360 --> 00:16:58.759 constantly talking to domains like Braise dot com or appash 366 00:16:58.840 --> 00:16:59.879 analytics dot com. 367 00:16:59.759 --> 00:17:02.039 Or whatever, which are known tracker domains. 368 00:17:02.120 --> 00:17:04.160 Right, you can just copy that domain name and added 369 00:17:04.200 --> 00:17:06.759 straight to your next DNS denihilist blocked. 370 00:17:06.880 --> 00:17:09.799 He gave another example with the privacy dot Com app. 371 00:17:09.839 --> 00:17:12.240 Yeah, showing that you might see connections from a legitimate 372 00:17:12.240 --> 00:17:14.319 app you do want to use, but maybe you don't 373 00:17:14.319 --> 00:17:17.119 want it talking to certain third party services it uses. 374 00:17:17.559 --> 00:17:20.440 You can review those connections in the logs and decide, Okay, 375 00:17:20.480 --> 00:17:22.640 I'll allow the main app function, but I'll block this 376 00:17:22.759 --> 00:17:26.359 specific analytics domain it's trying to reach super granular. 377 00:17:26.599 --> 00:17:30.680 That's powerful. Okay, navigation. Google Maps is obviously the default 378 00:17:30.680 --> 00:17:33.440 for most, but it's a privacy nightmare. What are the 379 00:17:33.480 --> 00:17:34.799 alternatives Bazelle likes? 380 00:17:35.119 --> 00:17:39.279 He points to a few solid privacy respecting options, mostly 381 00:17:39.319 --> 00:17:43.599 based on openstreet map data, Organic Maps, os Man plus 382 00:17:43.839 --> 00:17:46.359 often written osman, and Magic Earth. 383 00:17:46.599 --> 00:17:49.359 What's the big advantage of these offline maps? 384 00:17:49.799 --> 00:17:52.079 All of them let you download map data for entire 385 00:17:52.119 --> 00:17:54.839 regions or countries directly to your phone, so you. 386 00:17:54.799 --> 00:17:57.640 Don't need a data connection while navigating, and you're not 387 00:17:57.839 --> 00:18:00.200 constantly pinging your location back to Google. 388 00:18:00.279 --> 00:18:03.839 Exactly, huge privacy win. Magic Earth also tries to do 389 00:18:03.920 --> 00:18:07.160 live traffic, but Bizill finds it less reliable than Google's. 390 00:18:07.240 --> 00:18:10.240 Which one does he lean towards currently. 391 00:18:09.880 --> 00:18:12.920 He mentions preferring Magic Earth finds it a good balance 392 00:18:12.960 --> 00:18:16.240 of features and usability. He downloads maps for whole country, 393 00:18:16.279 --> 00:18:17.599 so he's covered offline, and if. 394 00:18:17.480 --> 00:18:21.200 You absolutely positively need Google Maps for something specific. 395 00:18:20.839 --> 00:18:24.119 His suggestion is maybe install it in a secondary user 396 00:18:24.160 --> 00:18:28.000 profile on graffinios. Keep it totally separate from your main stuff. 397 00:18:28.039 --> 00:18:29.680 We'll touch on profiles later, gotcha. 398 00:18:29.759 --> 00:18:32.720 He also brings up adding extra pins to specific apps. 399 00:18:32.799 --> 00:18:35.079 Yeah, another layer of security. Some apps lete you set 400 00:18:35.079 --> 00:18:38.079 their own separate PI in or password beyond just your 401 00:18:38.119 --> 00:18:39.839