I recommend that you think hard and properly access your threat profile. You are likely going to have to pay with either your wallet (eg: some sort of company incorporation, lawyer fees, forwarding services, and other privacy protection services), your time (eg: using “inconvenient” services, managing separate accounts, etc.), or both. It can be draining (in more than one way) and take away some of the joy that you’re intending this to bring you if you do too much to protect yourself. On the other hand, if you do too little then you can overexpose yourself leading to pricey or dangerous situations.

At a minimum, I would recommend incorpating and making sure your name is not publicly tied to the company in any way. You will likely need a person/company/lawyer to be publicly listed as an agent of some sort for the company. You should be able to have someone do this for you for a small-medium sized fee. Once you have that, do everything in the company’s name and ideally with separate phone numbers, email addresses, online accounts, bank accounts, and physical addresses as anything tied directly to you.

Some of that is to protect yourself financially and legally, but there are some obvious privacy benefits as well. Anything beyond that should be dictated by your threat profile.

As always though, follow best practices when it comes to security! Use strong passwords and use multi-factor authentication when possible (or ideally, use passkeys). Don’t reuse passwords (and ideally, don’t reuse email addresses for multiple accounts). Avoid clicking links in messages when possible. Don’t open suspicious documents (especially if they are unexpected). Verify the authenticity of any new person/business you interact with (especially if they contact you first). Be vigilant of all forms of phishing attacks.

Another piece of advice (that you didn’t ask for, sorry!) - if the process of making art is the thing that brings you joy and the materials are not too expenses, then just focus on making the art without selling it (at least for a while). At worst, you will realize that maybe this isn’t as enjoyable as you thought it would be with the added benefit of not needing to deal with all the troubles of working through all the legal/financial/privacy protections. At best, if you decide to get serious about selling it then you’ll have a larger product inventory and better understanding of what you like making most. It may also help you understand what you should price everything at (assuming you’ve made some of the items in larger quantities).

I believe Google plans to use Google Play Services to block side loaded apps. By default, GrapheneOS does not come with Google Play Services installed. I am not sure how things would work if the sandboxes version of Google Play Services that GrapheneOS provides is installed.

The issue about maintaining/updating GrapheneOS is a separate issue from side loading apps. That was due to Google shifting the development of Android to a closed source model and only open sourcing the final code. This limits the Grapheme team’s ability to anticipate changes and make any required adjustments until after the release of Android.

It is not clear that this is the app that will be used for the new watches. I imagine it will support the new RePebble watches, but I believe that app was intended for the original Pebble watches.

The thing that makes it so unclear to me is that this is a repo owned by the Rebble team, not the RePebble team. I do not know how much overlap there is between the two teams, but the RePebble team does not have any open source repos that I could find. Any mention of open source software by RePebble (including the OS) are links to repos owned by other teams, which is a little concerning.

I understand that the watch operating system is open source. However, it seems that the watch will connect to a companion smartphone app. Do you know if the app is a requirement and/or if the app will be open source?

There is no one-size-fits-all solution and there likely isn’t a solution that works for everyone even in specific situations due to different threat models. Purchasing and using a custom domain is often listed as a good practice for maintaining a person’s privacy. However, it can be even more detrimental to a person’s privacy than just using a trusted email masking/forwarding service and trusted email provider. For example:

• The domain is purchased without WHOIS protection (or without using non-personal information) or the WHOIS protection is not renewed
• The email server is hosted on hardware that can be linked to other services that identify the individual (eg: the email is self hosted using a home IP address)
• A self hosted email server is configured in a way that leaks information or is configured insecurely
• The email domain is used by only one person, which enables agencies to link each individual, unique email address back to that individual and create an aggregated profile across various accounts/services
• If the domain/DNS is not configured properly (or if the domain is not renewed), then the domain (and thus the email accounts) can be hijacked, which could lead to any additional accounts/services that are still using the domain vulnerable to a take over attack
• The email server is hosted by a privacy invasive company/service
• The person assumes that all emails are private since they use a custom domain on a trusted email provider (or self hosted email server), but continue to send emails containing sensitive information to email accounts running privacy invasive email services (eg: Gmail)

Please note that I am not saying that this is not a good option, but I just wanted to note some of the things that should be considered if a person decides to use a custom email domain to improve their digital privacy.

My beef with them is that they’re either pushed by scammer to empty honest but gullible people’s bank accounts, or they’re used to pay for illegal activities because they’re totally opaque and unregulated.

Scammers also use gift cards, checks, wires, cash, bank accounts, investment funds, and many other means to accomplish this. Several of them are tightly regulated and it does not seem to deter or prevent the scams from occurring.

My other beef is that they’re really securities and they’re not subject to the rules on securities for a reason that totally escapes me.

Admittedly, I am not well versed in this area. Do you foresee a way to properly subject cryptocurrencies to the same/similar regulations as other securities while still providing many/all of cryptocurrencies’ benefits, including anonymity? Are the legitimate cryptocurrency exchanges (eg: Coinbase) not subject to those regulations? How different is this from individuals being taxed on gains/losses from cryptocurrencies?

I don’t do cryptocurrencies both out of self-financial preservation, and also because I refuse to participate - and thus promote - stuff that’s generally bad for society as a whole.

The first part is in relation to investing in cryptocurrency moreso than using cryptocurrency.

What makes cryptocurrency generally bad for society as a whole? While I am not familiar enough with the current estimates, I know there are environmental concerns (eg: water/electricity usage, required hardware, etc.). I concede that the environmental impacts may be (and likely are) worse than traditional fist currencies, I am unaware of other reasons that make cryptocurrency generally bad for society as a whole.

Trump loves em

Many privacy advocates also love cryptocurrency. Two different people or groups of people (no matter how similar or different) can have one or more shared interests, even if the reasons or motivations are drastically different. It is likely best to avoid politics on this topic.

• Edward Snowden Says Use Crypto, Don’t Invest In It
• Edward Snowden Calls Bitcoin Most Significant Monetary Advance Since The Creation Of Coinage

Cryptocurrency

Hard no. I don’t partake in scams, even for the sake of privacy.

Is this in relation to the monetary value of cryptocurrency or the anonymity of cryptocurrency?

The list included cryptocurrency as a channel for anonymous payments, not an investment opportunity. The two cryptocurrencies listed are two of the more well established cryptocurrencies that are more widely accepted than many other cryptocurrencies (granted, one or both of them are still not accepted by a large number of merchants). Additionally, the list also mentions some of the considerations necessary to help ensure the cryptocurrency is obtained anonymously.

If the list only included insert_newly_created_obscure_cryptocurrencies then this would definitely be more concerning.

However, if the cryptocurrency is both obtained and used “properly” where the person is ultimately anonymously exchanging cryptocurrency for a desired good(s) or service(s), is it truly a scam?

This is definitely the wrong answer for this community, but may be an acceptable answer for this post. I have never used it nor would I ever recommend using it, but the conversations I have had with others who do use it make it seem like the service is far better than any alternative. Given the OP’s requirements and willingness to both pay and sacrifice privacy, it seems like this may be appropriate for OP.

I would still explore other options though. There are several competitors to Life360 and presumably there are some with better privacy policies (even if the service would not typically be recommended on this community). Maybe OP could use a service like https://tosdr.org or https://tldrlegal.com to better evaluate those options that would likely not get much attention on this community.

Depending on the required features, maybe the Live Location Sharing feature of chat apps like Element may be sufficient. It could also help improve the privacy of the users’ by switching to a more private/secure messaging app in the process.

In terms of privacy, you are giving your identity provider insight to each of the third party services that you use. It may seem that there isn’t too much of a difference between using Google’s SSO vs using your Gmail address to register your third party account. However, one big distinction is that Google would be able to see often and when you use each of your third party services.

Also, it may be impossible to restrict the sharing of certain information from your identity provider with the third party service. For example, maybe you don’t want to share a picture of yourself with a service, but that service uses user profile pictures or avatars. That service may ask (and require) that you give it access to your Google account’s profile picture in order to authenticate using Google’s SSO. You may be able to overwrite that picture, but you also may not be able to revoke the service’s ability to retrieve it. If you used a “regular” local account, that Google profile picture would never be shared with the third party service if you did not upload it directly. The same is true for other information like email, first/last/full name, birthday, etc.

There are other security and operational concerns with using SSO options. With the variety of password managers available, introduction of passkeys, and increased adoption of multi-factor authentication, many of the security benefits associated with SSO aren’t as prevalent as they were 10 years ago. The biggest benefit is likely the convenience that SSO still brings compared to other authentication methods.

Ultimately it’s up to you to determine if these concerns are worth the benefits of using SSO (or the third party service provider at all if they require SSO). I have a feeling the common advise will be to avoid SSO unless its an identity provider that you trust (or even better - one that you host yourself) - especially if you’re using unique emails/usernames along with strong and unique passwords with multi-factor authentication and/or passkeys.