Oyzark's Blog

Travelling Privacy Cat. Still searching for where I belong. Like privacy, tech and travel. Twitter @oyzark

Oyzark. oyzark@proton.me. Twitter @oyzark

In the privacy community, we experience a higher risk than most people of having the online services we rely on suddenly become unavailable to us. There are several reasons for this: we tend to use smaller, newer and lesser established platforms such as ProtonMail instead of the behemoths such as Gmail used by the masses; government actions can force sudden closing of privacy-oriented services (think LavaBit); and in pursuing privacy we tend to exhibit non-typical behaviour patterns that can trigger alerts on our accounts.

There have been several reminders of this recently, including the sudden closure of the CTemplar email service, and Michael's experience with Telnyx phone service as described in a recent podcast. Personally, I just lost my SudoMax 9-phone number account for a couple of days due to some kind of system glitch. Fortunately their excellent support got be back up and running quickly, but it serves as a reminder that all systems are vulnerable.

In this article, I describe steps I have taken to mitigate risks to some of my most important online services – email, contacts, calendar, notes, messaging and phone. These are somewhat specific to my situation but I think the steps are generic enough they could be implemented by others.

Email, Contacts and Calendars

A ProtonMail Professional account (protonmail.com) is the hub for all my personal email activity, as well as personal contacts and calendar. If the account disappeared one day without mitigation, it would have a pretty significant negative impact, including losing friends and family contact information, losing precious old emails, missing new emails coming in, and having no idea what events I am supposed to be at in the future. This is all important enough that I need to keep a backup, but also get back on my feet again within hours if my ProtonMail account were to disappear. Here I describe a validated approach to using Tutanota as my alternate provider in case of loss of ProtonMail. The first steps are to ensure that all my important information is backed up somewhere regularly outside of ProtonMail; then comes ensuring I have an alternate, tested system that would get me back on my feet using email, contacts and calendar in hours, even with ProtonMail gone. Here are the steps I took:

  1. Switch to a custom domain in ProtonMail. Rather than use zzz@protonmail.com, I have ProtonMail host my own domain, so my email is more like zzz@mydomain.com. This has several advantages including avoiding problems caused by services not liking ProtonMail domains, and meaning I can quickly switch my email provider to another one without changing my address. You do need a paid ProtonMail account for this, and you do need to buy a domain from a registrar like GoDaddy or NameCheap. ProtonMail has instructions on setting up a custom domain in ProtonMail (https://protonmail.com/support/knowledge-base/set-up-a-custom-domain/)

  2. Create an offline backup process for existing email. The easiest way to do this is to run Proton Bridge (only available on paid accounts) and use an offline email program such as Thunderbird to archive mail. Thunderbird will ingest email continuously (when open) and save it locally in your profile folder. This profile folder can be copied to backup storage. To find the profile folder location in Thunderbird go to Help –> More Troubleshooting Information and click About Profiles. You will then see the root directory that is used for your current profile. The beauty of this approach is that Thunderbird has excellent offline search capabilities, so you get some helpful functionality beyond backup; and if I did lose my ProtonMail I probably would just leave old email in Thunderbird and access it there. An alternative is to use the ProtonMail Import-Export app (https://protonmail.com/import-export, also only available for paid accounts) that saves an MBOX file to your local storage. This is a manual process, but you can create a full backup just once, then create incremental backups of your mail by setting date ranges in the backup dialog. Most email software and providers allow import of MBOX files, so you are relatively safe here. I decided do to both Thunderbird and MBOX files. Do be aware that this can really use up some disk space, and exporting to the MBOX file can take several hours if you have a lot of mail.

  3. Create an offline backup process for contacts. This is a simple, but manual process. Click on the contacts icon in ProtonMail, then Settings, then Export Contacts. Your contacts will be decrypted and saved in the standard VCard (.vcf) format.

  4. Create an offline backup process for calendar. Similarly, in calendar go to Settings then Calendars. Beside each calendar is a dropbox with the option Export ICS. This will save a standard .ics calendar file with all your appointments. An alternative is to create a calendar link under Share outside Proton. This will give you a URL you can use to ingest your calendar into another calendar app, such as the one in Thunderbird. Make sure this app keeps an offline copy of your calendar entries. The link also gives you a quick way to save an ICS file without being in ProtonMail – just paste the URL into a browser and it will prompt you to save the file.

  5. Set up Tuanota as backup provider for email, contacts and calendar. It was very straightforward to make a new Tutanota account. I could have gotten away with just keeping a free account and upgrading later if needed, but I wanted to test the domain hosting capability, so decided to purchase the “Business Premium” account (€24/year) which allows multiple custom domains. Privacy.com payment was accepted.

  6. Test it out! This is the most important step. If you don't fully test your mitigation plan, you can be sure there will be a fatal flaw when you really need it. So I went through the whole process of hosting a test domain in Tutanota, then ingesting my contacts and calendar entries. The testing brought up two issues. First, Tutonota does not currently have the ability to import emails (it is on the roadmap). This is not a showstopper, as I am okay leaving my old mail in Thunderbird and accessing it there when needed. I did note though that Tutanota does not have a batch export capability either which could be an issue down the road (also on roadmap, although you can export individual emails). Second, Tutanota gave an error when trying to import the contacts exported from ProtonMail. After some exploration, this seems to be because ProtonMail is exporting VCard version 4.0, whereas Tutanota seems to be expecting an earlier version. I was able to fix this with the sed tool on Linux, to replace the version number in the file (replace the filenames with yours): sed 's/VERSION:4.0/VERSION:3.0/' 'protonContacts-X.vcf' > protonContacts-X-Tutanota.vcf. Other than that, importing the contacts and calendar into Tutanota was straightforward. Adding a custom domain is explained briefly at https://tutanota.com/faq#custom-domain. Cliking on Global settings –> Custom email domains –> Show then clicking the add button will get you strated. I did this, and it worked well.

Notes

I use Standard Notes (standardnotes.com) for organizing a lot of fairly random but important textual information. Standard Notes has excellent backup options, including options to save encrypted or unencrypted backups directly to disk, or have them sent regularly to you by email. Encrypted backups can be decrypted back into text or an unencrypted Standard Notes import file using an offline browser-based decryption script available at https://github.com/standardnotes/decrypt. Of course just having lots of plain text isn't super useful, and I need to be able to quickly restore a Standard-Notes-Like interface should Standard Notes become non-functional. For this I chose Joplin (joplinapp.org) an open source note app. It's not quite as flexible as Standard Notes, but would do the trick in a pinch.

Getting notes from a Standard Notes backup into Joplin takes a couple of steps, made much easier with a Python script available at https://github.com/tanrax/standard-notes-to-evernote-or-joplin. This script transforms an unencrypted Standard Notes backup file into an EverNote ENEX file called notes.enex, that can be imported directly into Joplin. If, like me, you like to store your Standard Notes backups as encrypted, you have to do a bit of wrangling to get the output of the decryption script into a format that works for the Evernote script. Specifically, the Evernote script expects the text to be in a file called “Standard Notes Backup and Import File.txt” that is in a compressed (ZIP) container. So the steps you need to do starting with an encrypted Standard Notes Backup file are as follows (for Linux, you can do similar on other operating systems):

  1. Decrypt the backup file using the web-based decryption script, and choose “download as decrypted import file”. This will create a file called decrypted-sn-data.txt

  2. Rename this file: mv decrypted-sn-data.txt 'Standard Notes Backup and Import File.txt'

  3. Compress this renamed file: zip sn.zip ./Standard\ Notes\ Backup\ and\ Import\ File.txt

  4. Run the conversion to ENEX script (you will need Python installed): python3 standard-notes-to-enex.py ./sn.zip

  5. Import the notes.enex file into Joplin (File –> Import –> ENEX (as Markdown))

Messaging and phone

Messaging is quite straightforward, as like most people I only use text messaging for ephemeral communications that I don't need to persist for long. Thus backups and archiving are not really necessary, but redundancy of service is. I currently use Signal and Wire as my primary messengers, and have a few others like Element/Matrix and Session for experimental or backup use. While their usage is differentiated, they do all serve as a backup to each other. So for really important contacts, I try to connect with them on at least two messenger services, so if one goes away, then we can use the other. I also where possible ensure I have an email address for anyone I am contacting on a messenger, so if, for instance, my account gets disabled on one of the messaging services, I can easily correspond by email once I have a new account set up. Signal does, of course, have a critical dependency on a phone number, which I think is a vulnerability as the number itself is under the control of a third party (see below). So I am starting to favor messengers that don't require a phone number linkage.

Unlike messaging, phone numbers are a real headache for risk mitigation. The problem stems from two realities that are at odds with each other. The first reality is that keeping a phone number, if you are a privacy enthusiast, is actually quite a lot of work and to a large degree out of your control. Your phone number is owned not by you, but by whatever VoIP, landline, or cellular provider you lease it from. If that provider goes out of business, has a technical failure, or simply decides they don't want to do business with you anymore, you either lose the number, or if you are lucky you manage to port it to another provider through an unreliable, clunky process called porting. The second competing reality is the legacy social expectaion that you will have a “phone number” and that this number will persist for years or even decades. So you have to act as if your phone number is virtually part of your identity, yet you have little control over its persistence.

It's 2022, why do we need to loan a 10-digit number in order to be able to communicate with people? The truth is we don't. We are so conditioned to our “contact information” being name, email address and phone number, that we don't think about how silly it really is given the many communications options available to us. So the shift I am making is as much a pushback of social expectations than a technical mitigation.

Here's my strategy. I own a longstanding Google Voice number. This number forwards to whatever VoIP number I am using currently, along with my office phone. SMS messages are sent to my email. Of course Google could pull this number at any time, but given all the options available to me I think it is the most stable number I have, even if it's not the most private. When someone asks for my phone number, I respond with something like: “I'm in the midst of switching providers right now (always true!) so the best way to contact me is by (email/messenger). If you really need to use the phone you can try calling my Google Voice number XXX and I should get the message”. In this way, I am minimizing the expectation that using a phone number for me will be effective, while giving a modestly reliable option if they absolutely have to use a phone. This means I have a somewhat stable personal phone number when needed, freeing me to use VoIP services for more “disposable” numbers, such as for forwarding from my main nunber or for temporary aliases. This is not perfect, and I'm constantily adjusting my strategy here.

Summary

What I most want you to get out of this article is a sense of the importance of planning in detail an alternate strategy for the online services that are important to you. It's only a matter of time until you experience a service failure, and if you plan for and mitigate such a failure you can minimize the disruption to your life. I can now sleep well knowing I have a tried and tested mitigation strategy for my most important stuff.

This article was originally posted in Unredacted Magazine Issue 003.

I am a privacy, security and technology enthusiast, most happy when tinkering with and trying new technologies. For me, it is truly a hobby – I love to explore what is possible and push what can be done with technology. I have a spouse for whom technology is a necessary and relatively uninteresting means to an end, and four teenage kids. One shares an interest in privacy and security, and she is motivated to try new strategies and tools. The other three are firmly in the “means to an end” camp.

Below I share some of my successes, partial successes and failures in attempting to implement family-wide privacy and security measures. The successes all share something in common – they provide some significant benefit beyond privacy and security to the family, with minimal cost. The failures usually stem from me incorrectly projecting my geeky enthusiasm onto the family. At the end I give some overall lessons I have learned which I share in the hope they are useful for others in a similar situation.

The successes

A whole house pfSense router/firewall with VPN. We have a modest sized house that is just a little too big for good coverage with a single WiFi router. A couple of years ago I decided to replace three separate routers (and three separate WiFi networks) with a pfSense router/firewall with three professional UniFi hotspots. The beauty of using the UniFi hotspots is I could set up multiple wifi networks that are broadcast on all the hotspots, with each network corresponding to a different virtual network (VLAN). One VLAN passes through ProtonVPN (used mainly by me); one is open (used mainly by family) and one is for devices. pfSense let's me have lots of control over the security of network as a whole, without any negative impact on the family. This change was a big improvement for the family – WiFi is simpler and has better coverage, speed and reliability. Meanwhile I get the whole house VPN and a chance to do security tweaks!

Secure messaging. This one was relatively easy, as the family was already naturally migrating to messenger apps, just the ones we don't like (WhatsApp, Instagram and Facebook Messenger). After setting up a family Signal group it took a couple of months of off and on usage before everyone defaulted to Signal as a primary family communications method. A success which I nearly blew a few months later when I decided to move the family group to Wire, as I wanted to be able to use more than one device for my account. After many sighs and eye rolls, the family made the move, and we now keep Signal as a backup and for non-family messaging. This actually worked out quite well in the end, as Wire is only used for immediate family communications. We know that if we get a message on Wire it is a “priority family” message versus the background noise of other notifications.

Prepaid cellphones. This was an easy win, as prepaid plans are considerably cheaper than postpaid, and concerns about being billed wrongly at the end of the month and being tied to a carrier go away. My spouse and two of my kids still use their “real” cellphone number, but at least it is in a prepaid plan in a generic name. We ended up putting all the family cellphones onto one account that everyone can access which makes management easier than having separate accounts for each plan (albeit at a slight cost to privacy). Interestingly, my youngest two kids see no use for a cellphone number anyway and always use messengers.

Internet data removal. Using the free Inteltechniques workbook, it was relatively easy for me to, with permission, go through the removal process for my spouse at the same time as for me. Even non-enthusiasts have some concerns about having their information on the Internet, and my spouse was happy to have someone do some cleaning on her behalf.

The partial successes

Use of a home alias. It actually surprises me that this one worked at all. It began when I started using an alias name for delivery of Amazon packages, and it kind of spread from there. Family members would laugh at me getting packages in a slightly goofy alias name. I then set up an alias for my spouse and she started receiving Amazon packages in an alias name. With a companion MySudo phone number and ProtonMail address, my alias is fleshed out enough to use for food deliveries and other online orders. Our home aliases are not really very robust, but by making it a goofy, fun thing we are normalizing the idea that you don't have to use your “real name” for many things, while reducing the amount of companies that have our real name and home address together on file.

Use of a PO Box for mail. I got somewhat lucky on this one, as we moved house a few years ago and it was natural to use a PO Box for mail in the transition, and we just kept it going. I take on the burden of fetching the mail weekly, and at least a moderate amount of mail (and most of the junk mail) now goes to the PO Box (actually the street address of the post office) instead of our home address. However, the benefits to the family are not very clear, and it creates some hassles – for instance our bank uses the PO Box, which has a different ZIP code to our home address, so family members have to remember another ZIP code for using the credit card at the gas station. Overall I have gotten away with this one, but the family isn't too happy about it.

Password managers. I really tried to get everyone using password managers. Of course my privacy-loving daughter uses one, and one of the other kids uses one just so he doesn't have to remember passwords. For the others, using a password manager is apparently just too clunky. We have had to resort to printing out account information, and using somewhat complex, unique but memorizable passwords for some shared accounts.

Masked credit cards. The family was dubious about this one until we got into one of those regular situations where we tried to cancel a magazine subscription but they still kept billing us. Because we had used a Privacy.com masked credit card we could simply delete that card and we never had to worry about it again. Using Privacy.com is still rather clunky for some family members and we're not using it universally, but overall it's been accepted and has been beneficial.

Unique email addresses. I have a domain set up at GoDaddy where individual addresses can be forwarded to different accounts. This works very nicely for having unique addresses for each service that can forward to more than one person – for example, we can have amazon@mydomain.com which forwards to both me and my spouse. This is working and has been accepted by family members, but it fails the “significant benefit” test and remembering which email is used for what is an added complication for people.

NextCloud home file server. I have an Ubuntu box on my home network that is set up as a NextCloud server. This is perfect for me, as it lets me synchronize files and photos across devices as well as providing a single repository that can be backed up easily. It also solves the difficult problem of sharing photos among family without having to get entangled with iCloud and its ilk (my phone and my spouse's phone automatically upload photos to a shared folder on Nextcloud when on home WiFi). The NextCloud app is not super slick, but does allow access to files and photos when necessary. It's not a perfect solution and several family members are also using iCloud, but at least it's some progress.

The failures

VoIP. I love my pack of nine MySudo numbers, but VoIP just didn't work for family members. Three of them already had a number they were attached to, and didn't want to risk porting it to VoIP along with having to learn a completely new app for texting and phone calls, and confusion about reliability and where and when you can call 911. The other two, as previously described, don't give out phone numbers anyway. This has been mitigated somewhat by us porting our old landline to Google Voice, which can then be forwarded to cellphones. Thus family members often give out this number rather than their cellphone numbers. Another VoIP mess came from me changing my phone numbers regularly and them never knowing which is the “real” one (tip: have one VoIP number for family and don't change it).

DeGoogling. I have pretty much entirely removed Google from my personal life (still need it for work), but Google is so pervasive I have to accept others in the family will use it. All of them use Gmail as their primary email (I keep a legacy Google account but don't really use it), and much schoolwork gets done using Google Docs and Chromebooks. I don't feel too bad about this, as at least Google is secure even if it's not private.

Keeping our home address completely private. The PO Box and the use of a home alias have really helped keep our home address off the popular people search websites, but keeping our home address completely private is too much of a leap given our family situation. It only takes a small leak in a water pipe to flood the basement, and similarly it only takes a few places to know your home address for a flood of junk mail to arrive. The school district requires declaration of a physical residential address to prove your kids are eligible, but once they have it you have lost control. Beware the college board. Recently one of our kids took an SAT test, which required registration with the college board, including automatic population of home address from the school district records. We now get 3-4 pieces of junk mail a week to his name at our home address. Even without this, it is just too much to expect all the family members to use alias names all the time.

General lessons

Of course every family situation is different, but here are some general lessons I have learned.

Keep your privacy hobby compartmentalized. Don't try to drag your unwilling family into your extreme privacy escapades! Have your own sandbox where you can play without affecting the daily life of your family.

Use a realistic threat model for your family. As a privacy hobbyist, I am constantly imagining advanced thread models. I am fortunate that I am not being hunted down by a violent ex-spouse, I am not a journalist or whistleblower, and I am not trying to flee a repressive country. But I love imagining what I would do if I were, and trying out the technologies I would use in various extreme scenarios. This can sometimes make it hard to keep your family threat model realistic. Your family threat model should likely be about the simple things that get most people like phishing attacks, device failures and account compromise.

Only implement measures that benefit everyone. Before suggesting a potentially disruptive change to family protocol, make sure you can clearly explain the real benefits to them, as well as the cost. The explainable benefits should far outweigh the costs.

Don't hide things from your family. You probably think it's normal to have fifteen ProtonMail accounts and nine phone numbers, but your spouse might not think it is normal, and if you are constantly doing mysterious things in your basement your family is going to think it's a little weird. Make sure you are not hiding things from your family and especially your spouse, otherwise it can raise suspicions, and your relationship needs to be based on trust. Explain you enjoy this exploratory hobby, and offer to walk your spouse through your privacy setup (of course this does not apply if you are in an abusive relationship and needing to exit).

Be content with improvement rather than perfection. Celebrate the wins!

This article was originally posted in Unredacted Magazine Issue 001.