Pseudoanonymity and/or exiting cyberspace

[sky]

In the past I wanted to be anonymous on the internet. Today, one needs to be very strategic in how one uses the internet in order to maintain even a limited amount of privacy.

Over the next year, my goal is to learn how to improve my online behavior and technology to improve privacy. Here is an overview: https://youtu.be/XEV748x-Su8

Is it really worthwhile to strive for anonymity? Sometimes I imagine a full exit from cyberspace, but there is a lot of value in the content and communication on the internet. If one is connected to the matrix, perhaps following best practices with regard to anonymity will result in an optimal utility with minimal downside? On the other hand, one could try to be internet famous and join all social media possible to extend one's audience and media empire.

What do you think is the right approach, especially in consideration of how the net might change in the future?

In particular, it appears that one's online behavior results in an AI shaping the media that one sees. How will this develop?

[jacob]

JP said something in another thread about Sam Harris trying to arrange his matters in such as way as to be uncancelable. This level is also on my mind but I approach it from the other side in the sense that I try to behave in a way that nobody would want to cancel me. Also in the Marcus Aurelius sense of not having any secrets that would in any way destroy me.

I miss the days where people expressed and stood up for their opinion unanonymously with full name in the newspaper. You could look people's names and addresses up in the phone book and it was generally not an issue although you could get an unlisted number if you wanted. This system generated a measure of self-moderation because people were accountable for what they said in the public sphere.

Now, anonymity is often used to act in a way that is outside the Overton window. Some abuse this to take no responsibility and generally behave in a mutually destructive manner. Anonymity makes uncivilized behavior possible and since humans are generally not saints or sweethearts, it also removes that layer of "self"-control.

Now, I get that anonymity is sometimes required (whistleblowing), but as a general rule, I'm not a fan. It should be the exception rather than the rule.

As for the privacy/public ... that's a different orthogonal dimension to anonymity. Some people want privacy and some want the other. In light of the above, I think the attempt to be public while retaining privacy by using anonymity is bad for the social system because it gives the individual more opportunity to get away with bad behavior.

My rule is "if you don't want to stand behind what you're saying, you shouldn't be saying it in the first place".

[white belt]

Anonymity on the internet is difficult but there are many steps you can take to increase privacy. I do think it is worthwhile, but anything with privacy/security/anonymity is relative rather than absolute.

Step 1 is to identify your threat model. Whom do you want to be anonymous from? What is your worst case scenario you are trying to prevent? These questions will help guide you down the path first.

There are Wheaton levels to this and the most extreme is usually reserved for celebrities, those hiding from stalkers, and those who are very dedicated/paranoid. Check out inteltechniques.com and this guide as a starting point: https://inteltechniques.com/JE/Privacy_ ... eb2019.pdf

On the more extreme end, it is possible to almost completely mitigate the threat of doxxing by having no association between your real name and physical address. This is what public figures have to do because their real name and persona are already known. It’s much easier if you don’t need to maintain a large public presence.

[7Wannabe5]

I don't think my internet behavior is very different from, for instance, my real life book group behavior. The reason I like to maintain semi-anonymity is that IRL there usually aren't lurkers. Also, it's more like publishing something you said in a newspaper rather than talking freely at a party (although these-a-days the odds that somebody is digital documenting any live real world event is also much higher.) Anyways, I generally do go to the trouble of trying to meet at least a few members of any forum where I post IRL.

[sky]

My threat model (as of today) is that I see the fake news networks moving from cable TV to the internet in force. Using a Russia style deep fake strategy, where all political factions are pandered to by their own video networks/news outlets/forums that are entirely created and managed by a group or groups seeking to maintain political or economic power. Every user will be AI categorized into a silo and fed AI generated information based on past clicks or posts. This has been happening in the past, but the main goal has been keeping your eyes on the screen to watch ads. Soon there will be Trump silos, Democrat silos, Antifa silos, Occupy silos, Christian silos, Country silos, Q silos, all filled with content designed by AI to keep you tied to the latest event, and angry about the opposing team. They will probably all use the same AI technology and be under the control or at least guidance by the same tech firms.

I hope this is just a silly conspiracy theory, but it seems like a possible and likely outcome.

[jennypenny]

This level is also on my mind but I approach it from the other side in the sense that I try to behave in a way that nobody would want to cancel me.

The problem with your approach is that it's hard to predict what kind of behavior will become grounds for cancelation in the future. It's not that hard to envision -- if we lurch towards a more collective mindset -- that ERE principles could be seen as suspect. Dropping off the grid, 'retiring' early, and avoiding traditional work could been seen as privileged behavior and/or a sign that a person is shirking their civic responsibility.

Don't you remember when this graphic made the rounds after the National African American Museum of History and Culture posted it on their website? ERE definitely falls into white privilege territory according to the graphic. The Smithsonian apologized and pulled it, but the sentiment was apparently popular enough to get it published in the first place. I don't see this as a race issue so don't take my comment the wrong way. I used that graphic because it's an obvious/concrete example of where ERE could be seen in a negative light by certain groups in the future.

[unemployable]

It's not that hard to envision -- if we lurch towards a more collective mindset -- that ERE principles could be seen as suspect. Dropping off the grid, 'retiring' early, and avoiding traditional work could been seen as privileged behavior and/or a sign that a person is shirking their civic responsibility.

What if one reason we ERE'd was because we wanted to escape this mindset in the first place? What are they gonna do, shun us?

Don't you remember when this graphic made the rounds after the National African American Museum of History and Culture posted it on their website? ERE definitely falls into white privilege territory according to the graphic.

Oh, that's hilarious. Rugged individualism is white privilege, so instead we should live... like slaves?

[Loner]

Cancelation seems to be a problem for public figures mostly. In this case, anonymity is impossible. Your work happens in the open. And if you’re a nobody, then nobobdy cares about you, so why bother about making yourself invisible – you already are.

If you decide to do so anyways, with data leaks happening every other week, it seems harder and harder to ensure anonymity. Granted, it’s in Russia, with very poor data protection, but journalists have even used leaked data to follow spies’ movements: https://tinyurl.com/y6fot6hn I’d be curious to know how much info about the average person is already floating out there.

This being said, I do take basic steps to try to ensure some anonymity when possible, like here (usernames, complex PWs, give little personal details), and I’m naturally not a big social media user, but in the current atmosphere, everyone is at risk, and it’s hard not to feel like you’re walking on eggs all the time.

Even being “your best self” won’t work. As JP states, what is unspeakable and what is not shifts constantly, and right now, rapidly as well, so unless you’re willing to speak only platitudes, you’re at risk. Just here this fall, at the U of Ottawa, a prof merely pronounced the word “nigger” to illustrate how certain groups reclaim slurs to fight back on hatred. She got cancelled (suspended and lost her classes) after students complained. There used not to be such a PC culture here in Canada, but it’s slowly creeping in from the US, creating situations like that one, a real nation-wide shit-storm. After many op-ed on freedom of speech, etc., she got her classes back, but there’s no telling yet what impact it will have on her career.

So ultimately, my approach is that of the philosopher: resignation. There’s a risk and that’s that, like crossing the road. For me, the alternatives, like letting yourself be cowered in self-censorship/silencing (the only true “solution”) and putting a vast energy in trying to ensure a very high level of safety, are worse. YMMV.

ERE does give you some immunity against cancelation, since it works primarily by cutting your cashflow, but being picked on by the crowd could also cut off some future employment opportunities, and that might matter, if you care.

As for ERE being suspect, I think it already is, to some extent, in come circles (viewtopic.php?p=229969#p229969).

[sky]

I am thinking that the solution is not to attempt anonymity, but to move to less screentime and more time in the real world.

I would like to learn how to reduce my internet profile, but still participate and use the net in a positive way. I want enough security to not lose money to hackers.

I am disgusted that it seems that cable TV media is moving to take over the internet. Hopefully one will be able to find more valid and meaningful web media, even if the general push is to go to mass media outlets.

[sky]

Rob Braxman Tech Youtube Channel
Notes from videos

Browser Fingerprinting
Threat: Browser Fingerprinting used by Google and Facebook to identify users and log activity for advertising and possibly in the future political categorization.
Browser Isolation Technique
Do not use Facebook, Facebook Messenger, Instagram, WhatsApp
Use separate browser for Google products (use Chrome). You will log in to Google to use these products, and your activity here will be tracked.
Use Firefox for searches (on DuckDuckGo), more private activity and financial websites
Never log in to Google on this browser.
Possibly a separate browser for financial websites
Strip metadata from your photos before uploading anywhere.

Politics and Profiling
Politics, Religion, Financial Status, Beliefs, Personality are profiled.
Search results are returned based on your profile.
Censorship may be based on your profile.
Companies which profile you and sell this information:
Jigsaw.google.com
Palantir
Cambridge Analytica

Companies intend to use data to change your opinion.
Targeted messages to subgroups. Misinformation, propaganda.
Example: LA Gang control, precrime harrasment based on profile
Manufactured (fake) content targeted to profiled users: Brainwashing
Identity disinformation, separating your identity from online activity confuses the AI
If the AI cannot connect an individual to online speech or activity, that activity is useless to the AI
Techniques:
Pseudoanonymity
Hide your IP address
Phones with no device fingerprint
Block browser fingerprinting
Leave Facebook

Passwords 101
Types of threats:
Online Attack
Offline Attack
Massive Cracking Attack with Brute Force Cracking – faster offline and with supercomputers

Password Dictionary - list of potential passwords
Need to come up with a password that is not in the Password Dictionary

1. Password must not be in dictionary.
2. 12 character passwords are secure.
3. Using lower case, upper case, numerals, special characters increases the complexity and difficulty of cracking.
4. Create tiers of passwords depending on how much you trust the website. Will it store the password in plain text? Use simple passwords if you don’t trust the website.
Tiers of passwords: financial websites, social media sites, business sites, untrusted websites. Use one password for each tier.

If you hear of a hack of a website, you need to change your password.

Defending your Privacy with Disinformation – Top Three Tips
Types of threats:
Active Surveillance
Mass Surveillance
Behavioral Profiling
Message Manipulation
Individualized Attacks

Data Mining
Cambridge Analytica
Political Microtargeting
Targeted Fake News
Influence Votes
Market Products

Data is not useful to AI/Data Miners if you disconnect your identity from your searches, Youtube watching and browsing.

1. Get Rid of Google Phones and Apps
Use a DeGoogled Phone, Linux Phone, or older phone

2. Use a VPN or TOR to hide your IP address
Do not use Facebook (Whatsapp, LinkedIn) or allow it to be used on your IP

3. Separate Your Identities
Social Media, Business/Work
Do not use the same images, they can be searched
Do not use the same emails or phone numbers between identities

Set Up Computer Safely
On a regular basis, reset computer to factory settings and set up again
1. Machine Name
Do not label your machine with your real name. Use random letters/numbers.
2. User Name
Use a fake nonstandard name, obscure word, user, janitor. Do not identify the admin account as admin.
3. Create a second user immediately, this account will not have admin rights, and will be used daily. This could be called admin but does not have admin rights.
4. Antivirus. Do not install an antivirus.
5. Your computer setup is temporary. Reinstall and start from scratch regularly. Document reinstall process to make this efficient. Any data that is important to keep should be stored on removable storage.
6. Email client. Use only Mozilla Thunderbird as an email client.
7. Privacy Badger. Detects fingerprinting cookies and blocks tracking sites.
8. Install a VPN.
9. Secure Boot. Turn off Secure Boot if the public cannot access your computer.
10. Firewalls. Set up firewall.
11. Recieve Security Updates Automatically.
12. Turn off Intel AMT. Advanced Management Technology. VPro (remote access on Mac and Windows).

Voice Recognition
Speech AI, Text-To-Speech/Speech-To-Text, Android TTS Engine, listening devices
Cloud-based Voice Recognition
Now phone apps send wav file to the cloud and it is processed with supercomputers.
Voice files are stored by Apple/Google/Amazon databases. Transcription of voice files are stored by Apple/Google/Amazon databases. Voice dictation creates a copy which is sent to Apple/Google/Amazon.
Voiceprint is a biometric recognition used by government. The technology may evolve and be used by Apple/Google/Amazon.
Ambient sound can be used to identify your location.
Home appliances can be voice activated and can also be used for voice recognition.
Some toys act as a listening device.
Degoogled phones, linux phones, have no Android TTS Engine.

Privacy. That’s LinuxPhone. True? False?
The answer may be different for each person.
Linux Phone – Librum5, Pine Phone
Flash Ubuntu on Android, a hybrid type
DeGoogled Phone – Lineage OS without Google Apps. Generic OSB, GrapheneOS CalyxOS.
Breakdown by Threat:
1. Hacker. Could control, read contents, download pics. High profile people are targets, GrapheneOS is a good choice. Linux phones are less hardened. SD card could be stolen. Personal habits can reduce phone hacking threat: no data on the phone, pictures uploaded to cloud and deleted from phone. Main activity is on a computer, not a phone.
2. Internet Giants: Google, Facebook, Amazon, Microsoft, Apple.
Tracking you on your phone daily, 24/7. They are compiling a profile of activities which can be used to attack someone, control someone, manipulate opinions, and sell the data to others who would do even worse, or share data with three letter government agencies. Number one fear is the collection of massive databases on each person. Best choice here is a linux phone. Stay away from iOS or Android. Linux phones have no links to the giants, so there is no built in trackers, device fingerprinting, or Google logins or identities. A second choice would be any DeGoogled Android phones. This is one of the most dangerous threats in our time, and it is immediate. It will render any anonymity moot on the internet. You will have no secrets and it will be attached to your real name.
3. Government agencies and powerful people.
The main threat is in the hidden hardware on a phone (SOC - Systom on a Chip) which connects to the cell phone carrier. Cell base band modem connects to the cell carriers, and it is a separate computer by itself. Texts can be intercepted, the microphone can be turned on, Sim card data can be read, calls and texts can be made on your behalf. Passive surveillance of a groups, such as find all the phones located in an area of a protest, log their IMEI/IMSI numbers, and eavesdrop. No phone can withstand this threat completeley, although some Linux phones have switches that can turn off power to the base band modem.

The average person is probably most concerned or affected by threat 2, and the best response to this threat is to use a Linux phone. On the physical access side, a Linux phone is easily compromised. But on the remote hack side, open source apps are likely not to have vulnerabilities.

Linux phones are in development and not yet stable, but hopefully there will be Linux phone options available soon.

[sky]

Internet Security To Do
This is a checklist put together by a non-expert (me).

1. Do Not Use Facebook.

2. Use secure passwords, use a combination of uppercase, lowercase, numerals, other characters of at least 8 characters in length. The password must not contain a dictionary word or common pattern. Set new passwords annually. Set new passwords if you hear of a hack. Keep a hidden paper copy of passwords. Keep a second paper copy of passwords in a safe.

3. Use a VPN. Possibly use your home IP address for the Google browser (see below), but use a VPN for all other browsing. Some financial and other websites don’t like VPN and you may decide to use them from the home IP address. It may be best to use a separate browser from the Google browser to access these websites from your home IP address (see below).

4. Isolate Google. Use one browser (Chrome) for Google products, and another (Firefox) for everything else. Never log in to Google on the second browser. Always use a VPN when using the second browser. Limit your use of the Google browser to noncontroversial subjects and accept that everything you do on that browser will be tracked. Another strategy would be to use a second computer to access Google on the home IP address, and use it only for Google. The second, non-Google computer would be permanently connected to VPN. Never log in to Google on the non-Google browser, and avoid Google products on that browser.

5. Turn off Sync and password Autofill. These browser functions will save your username and password to another server. This applies to strategic websites (financial, banking, insurance, pension, healthcare, etc.)

6. Export your bookmarks to an html file to save them. Have one list of Google product bookmarks for your Google browser, and another list of bookmarks for your non-Google browser. This allows you to easily import your bookmarks between new software installations.

7. Keep your data on removable drives, not on the main drive of the computer.

8. On a regular basis, reset your computer to factory settings and reinstall software. Do not label your device with your name, use random numbers and characters. Use an obscure name as the administrative user. Do not label the administrative user as admin. Use a second username without admin permissions for daily use of the computer.

9. Write a procedure list on how to reinstall and reconfigure your operating system to get it back to your preferred configuration.

10. Do not use an antivirus.

11. Use only Mozilla Thunderbird as an email client.

12. Purchase a hosted domain that is does not reference your name to use for email. Use the domain host security method for hiding your name as owner and technical contact for the domain. Possibly also install a cloud data system on this domain.

13. Move your email presence to this personal email domain as much as you can.

14. Back up your data, keep your backup media in a safe. Back up non-strategic data to your cloud.

15. When available, move to a Linux phone. Until then, accept that your activities, voice conversations and location will be tracked on Android or Apple phones.

16. There may be websites that allow you to watch Youtube without being tracked. If you use an additional browser on VPN (in addition to the above), you could watch video without being logged in. Use Youtube search instead of subscriptions. If you have favorite channels, bookmark the channel and check it using a bookmark, without logging in.

17. Do not use the Google Search Engine. Use DuckDuckGo.

18. Set up firewalls and automatic updates for your devices.

19. This To Do List is based on using a Linux computer, in particular a Raspberry Pi 4 as a desktop.

[bostonimproper]

You can save yourself a lot of work by using Firefox containers. Also use an on-device password manager to auto generate passwords for you. I suggest 1Password. If you do choose to memorize passwords yourself, I find coming up with a sentence and remembering the first letter of every word to be effective.

You can also store sensitive data on device or in the cloud by encrypting it locally first. Veracrypt is useful for this.

Keep in mind, if you are mostly avoiding targeted ads, all this is probably overkill and most of the benefit you get is by not being on social media and ad blocking. Your age, address, race, credit info, mortgage, gender, income bracket have all been put into some LexisNexis database a long time ago and will continue to be updated any time you make any major financial transaction (open an account, buy a car, etc). Targeted mailers, the ads you see on tv, billboards, etc, already impute some amount of your likely demo information.

If you care about surveillance, you basically need to disable geolocation for every IP addressable device you have, never go to a public place with cameras (i.e. nowhere given smartphones and Ring doorbells), and throw new checkered patch stickers on your face every time you go outside. Otherwise you can try lobbying you local, regional, or federal government to put anti facial recognition laws into place. [this is to say, good luck avoiding surveillance entirely] Minimum you should do here is have camera blocking stickers, privacy screen protectors, and turn off geolocation when you don’t need it.

[jacob]

The flipside here is that by doing all this you're increasingly sticking out like a sore thumb or perhaps rather not "sticking in" in the first place. For example, it might raise flags with employers (and the government) if you do not have a facebook account or if said account demonstrate "unusual behavior" whatever that is: "What is this person trying to hide?"

Dialing that up another notch, "social credit" might become some kind of currency as some point. Such numbers can surely already be calculated. Insofar you (your accounts) don't meet thresholds, it might be hard to do certain things. An obvious one is credit score. For example, I have no idea what mine is ... but I'm sure it affects what I pay in insurance and possibly also whether it's possible to work in certain places. In terms of personal experiences, I'm [famously] smartphone free, but this turned out to be a major hassle when I visited Denmark, which is now heavily electronically integrated, a couple of years ago. It was a major hassle to buy a train ticket or navigate the bus system. Banking was a mess having to show up at a specific branch where they still dealt with dinosaurs like me.

And ultimately, there's the problem of the "weakest link". Your security might be super tight, but if you're connected to just one other person who is loose, there goes your security. E.g. you've done everything right, but then you connect with a person who clicks yes on "sharing all the details of your contact list" so they can take a fun quiz on which kind of spirit animal they are. Also photo tagging. This also works indirectly. Even if you studiously block all ads, you'll only end up being served ads based on what your weak contacts happily click on.

It's also conceivable that the game is lost at this point. Whenever a company offers to delete your [input] data I take it as a sign that they already calculated enough [output fit parameters] so they can easily identify you again. In short, they no longer need "your data" because they already computed what they wanted from it.

My conclusion is that it's important to choose the right degree of security/privacy (still recognizing two different dimensions here). You want enough so that nobody hacks your bank account, but maybe not so much that nobody wants to hire, date, ..., or let you on the airplane. I see it as making your home theft proof. You want to do just enough to make the thief choose another house but not so much that you end up getting snagged by your own booby traps. In particular, whether it's possibly to eliminate thievery at this point is largely academic.

[sky]

I am not trying to hide my identity, I am a known item. I am putting Google in a sandbox so it only datalogs me when I use Google services.

The most important thing that I did was to change my passwords, for the first time in about a decade. I have been very lazy in regard to security.

I was quite shocked when I went to my Google account and found the saved username/login information used for autofill. And then I clicked one button and downloaded a csv file with a better list of usernames and passwords than I kept myself, including financial website logins. During the recent hacking event, I received a few emails regarding failed delivery of emails that I did not send. That concerned me, so it was a motivation to go through and change passwords.

I value Google services very much, however I don't want to be entirely dependant on Google for everything online.

I have done most of the items in the above checklist, and I like my new setup very much.

[Scott 2]

Have you looked into adopting two factor authentication on all your accounts? After a password manager, my next step would be a physical security key, like YubiKey.

Edited to add - also a service where you can generate unique credit card numbers per site. And, ideally - unique email addresses per site. I don't go to this level, but these are vectors I think are more likely to cost your privacy.

[Ego]

I second a password manager. Preferably one that allows you to use a hardware security key. You can generate 99 character passwords that are virtually uncrackable. You can use the key as a 2fa login to many of the most important systems (banks, email...)

Proton has released their ProtonDrive, a private, encrypted cloud backup. Not quite as easy as OneDrive but it works. They also have a good VPN, private email service and calendar alternative (beta). They are working toward creating fee based alternative to many Google components except search. Not cheap, but as the saying goes, unlike with Google where you are the product.... with proton you are the encrypted customer. https://protonmail.com/blog/

That said, there is a push to dismantle encryption https://www.eff.org/deeplinks/2020/10/o ... encryption

@Scott 2, Yes MySudo has launched on Android now as well as iOS. Privacy.com is the other for credit cards. Firefox has built in Firefox Relay to create throwaway email address.

Also, the Ledger leak has highlighted the importance of having a mailing address that is not your home address and of securing against SIM swaps.

[Myakka]

So many different ideas on how to protect oneself on the internet, but I don't see how an individual is to really know either what the dangers really are or what strategies effectively reduce the dangers -- other than a partial exiting of cyberspace.

The dangers I am most sure about are the addictiveness of many sites. Possibly this has already been discussed elsewhere on these forums, so I won't enlarge about how I keep a lid on that here.

All I know is that it helps to continually try to teach myself not to want their stuff. Once you want their stuff they have a leash to control you with.

[white belt]

So many different ideas on how to protect oneself on the internet, but I don't see how an individual is to really know either what the dangers really are or what strategies effectively reduce the dangers -- other than a partial exiting of cyberspace.

The posts earlier in this thread are pretty accurate about highlighting threats and mitigations. Basic stuff like using a password manager, multifactor authentication whenever possible, keeping software/hardware update, using email masking, and using more secure communications like Signal are all widely recommended and effective. As data breaches become more commonplace, assume any website you use will be hacked, therefore you should take steps to mitigate that breach (financial institutions generally have some of the weakest cybersecurity measures). A credit freeze is also a good idea.

Partial exiting of cyberspace may put you more at risk if you are re-using emails/passwords between different accounts and are not keeping track of what sites have your data. Also exiting cyberspace means someone else may be able to use your already leaked “sensitive” data like SSN for IRS forms, credit card applications, unemployment benefits etc.

[Scott 2]

Also exiting cyberspace means someone else may be able to use your already leaked “sensitive” data like SSN for IRS forms, credit card applications, unemployment benefits etc.

This. A record of your identity is being created. Better to claim and monitor it, than to leave it unsecured.

[sky]

I am close to getting my system up and running in a way similar to my previous system.

At this time, I have:
VPN on my desktop computer, but not yet on Android or my laptop.
On my desktop, I have separated Google services to the Chrome browser, and other websites to Firefox.
I have changed all my passwords to secure, complex passwords.
I have listed my username/passwords on paper, and have written a second copy to paper in a safe place.
I have backed up my data on multiple drives. My data is stored on removable drives and not on the sd card with my operating system.
I have rebuilt my operating system and desktop and have it in a condition ready to be backed up to an image. Then I can reinstall the image and have it installed complete from this point in time. Still testing a bit but its pretty close to being ready.
I have documented the process of installing a new operating system and program installation to the current status of my desktop/OS.
Every time I reboot my desktop I am on a new ip in a new location through a US VPN.
I set up a new domain name and server to use for email and as a web drive.
I plan to continue to use Google services but try to move away from gmail, drive, hangouts, voice, maps and Android step by step. I used to love Google, but now regard them with caution. Too much spying.

Observations:
I occasionally get captcha requests (Discord, Google). This has reduced, I assume they use cookies to identify my browser. I still accept cookies.
Two factor authentication goes to my Android phone or my email. At this time, I could not opt out of the Android system if I wanted to. I used to dislike 2fa but now I accept the inconvenience as higher level of security for me. I will leave as is for now but may try to move 2fa to email if possible. Sometimes they want non-VOIP phone numbers.
Occasionally get stern warnings that my security may be breached. In fact it is the ability of big data to track me that is being thwarted.

To do:
Buy another domain and server to publicly host documents and images?
When linux phones are cheap and useful, switch away from Android to linux.
My current username/password list is on paper. I may make a spreadsheet with website url - username - password information to print out, then delete the password column. I don't want a list of username/passwords in digital format, but writing them on paper is not as efficient as using a spreadsheet.
I may buy a second Rpi and set up a wifi bridge to the VPN. I am not 100% sure I know how to do this, but it would save me from having to buy more individual device connections to my VPN provider. This is sort of a geek test of strength which is more about leet skillz than cost effectiveness. I could then drop terms like masquerade and iptables and be cool.
I would like to move to a VOIP eventually but will wait until linux phones are available and see what plans they have.