Block Data Tracking Attempts with Lockdown: A Free, Open-Source Firewall for Your Mac, iPhone, and iPad

TL; DR: Lockdown, an open-source privacy protection firewall, is used by more than 100,000 privacy-conscious Apple users to block tracking, ads, and badware while preserving functionality. The free solution, available on iPhone, iPad, and Mac, works for both browsers and apps. Lockdown is the world’s first product designed in compliance with the Openly Operated standard — a structured transparency certification that leaves no room for dishonesty or carelessness.

It’s normal to feel conflicted when that shiny new app you just downloaded asks for permission to access your camera, contacts, or microphone. If a stranger you just met asked to dig through your handbag, you’d be wary of his intentions, no matter how politely phrased the request.

Still, we willingly permit developers to access our digital worlds, sometimes in seconds, pushing aside our fears and doubts in the name of app functionality. According to the folks at Lockdown, an open-source privacy protection firewall, that’s not OK.

“As programmers ourselves, we understand how much power a developer has,” said Johnny Lin, Founder at Lockdown. “In reality, that snap decision you make — whether or not to allow an app to access your data — can have real consequences.”

To promote transparency in the tech industry, Lockdown created the Openly Operated standard, which provides a structured method for every app developer to prove their intentions are honest.

Lockdown is the world’s first Openly Operated product of its kind. In the long-term, Openly Operated hopes to provide easily accessible proof of every app’s privacy and security claims — ideally, at the same time that an app requests permission for data.

In the meantime, Lockdown is empowering consumers to block tracking, ads, and badware (spyware and adware installed deceptively) through its free and open-source application. The free solution, available on iPhone, iPad, and Mac, protects both apps and browsers while preserving functionality. And, as an Openly Operated product, users can see precisely what Lockdown is doing — and not doing — in terms of security and privacy protection.

In 2017, before launching Lockdown, Johnny and Rahul Dewan, both former Apple engineers, started Confirmed VPN. The fully audited, log-less Openly Operated VPN protects data from hackers, internet service providers, and other prying eyes.

“We had identified an issue in privacy and security products everywhere,” Johnny said. “People were assuming these products could be trusted. But we found that wasn’t true — one glaring example of this was Facebook’s secret purchase of Onavo VPN.”

In October 2013, the social media giant quietly acquired Onavo and used the company’s analytics platform to watch competitors closely. Because the VPN was used to monetize data collected in private environments, many classified Facebook’s application of the technology as spyware.

“They secretly gathered users’ traffic data and exploited it for their own ad targeting and market research purposes,” Johnny said. “A VPN is supposed to protect user privacy. In that case, it did the exact opposite.”

As Johnny and Dewan continued to research the VPN industry, they found a lot of companies were based offshore with questionable ownership and no real guarantees or assurances in terms of what type of encryption was used.

“That was alarming for us, so we set out to solve the problem with Confirmed VPN,” Johnny said. “Because it’s Openly Operated, we must follow a strict set of standards. Ownership must be totally transparent, the entire backend and frontend must be completely open-source — and we have to be able to prove our claims.”

Instead of creating a privacy policy that asks customers to trust the company, Confirmed VPN empowers users to see exactly how data flows through the system and verify that it’s not being exploited in any way. Johnny told us that as time passed, he and Dewan began to grasp the extent of rampant misinformation being spread through the saturated VPN space. So they decided to explore what else they could offer to protect their customers.

“We looked at the APIs that we were using, and we realized that we could block tracking traffic coming from third-party apps on people’s devices,” Johnny said. “So we introduced Lockdown, which protects your privacy while preserving the main features of the app that you want to use — so you get all of the good stuff, none of the bad.”

To protect as many people as possible, the company made Lockdown available for free. If users wish for additional privacy protection on public wifi, insecure websites, or networks they don’t trust, Lockdown will upgrade them to Confirmed VPN for a fair price.

Johnny told us people today put far too much trust in privacy policies, which has led them to lose grasp of their personal data. Even if a company has a policy, it’s rare for a CEO to self-report violations.

“I think users don’t really have any idea of what is happening with their data,” he said. “Many privacy policies are just copied and pasted from some privacy policy generator online. And there’s no way to enforce them; it’s not like the government is coming in and checking that people are following their privacy policy.”

That said, the team at Lockdown, based in San Francisco, doesn’t see legislation as an adequate solution. The regulatory environment has grown increasingly complex in recent years, with the European Union’s General Data Protection Regulation (GDPR) coming into force in 2018 and California Consumer Privacy Act (CCPA) effective as of January 1 this year.

“Legislation is kind of like a giant hammer that you’re trying to smash ants with,” Johnny said. “Oftentimes, it will harm small businesses more than larger ones. With GDPR, we’re seeing that Google and Facebook have actually benefited because they have the armies of lawyers and compliance staff to satisfy what the law requires, or at least produce the illusion of compliance.”

Smaller companies with tight budgets can’t compete and are unwilling to take on the risk of substantial penalties. In the first tier of administrative fines under the GDPR, for example, violators are charged up to 10 million Euros or 2% annual global turnover — whichever is larger.

“If you’re a small business making under $100 million a year, you may be like, ‘I guess I shouldn’t pursue an online business anymore,’” he said. “So instead of legislation, we think transparency is the right solution — allowing people to see deeply into your company rather than a dog-and-pony show of security theater.”

Confirmed VPN and Lockdown are on a mission to set an example in terms of complete and total transparency, down to the finest line of code.

“You can look at every single line of code that your data is piped through — and I don’t think that’s true for any other service out there,” he said. “We literally cite the lines of code in our audit report that show where and how your data is getting encrypted, backing up the claims that we make.”

When it comes to internal development, Lockdown is driven first by the Openly Operated standard, but feedback from users comes in at an important second. For example, Lockdown for Mac initially didn’t launch upon startup.

“We’re not used to shutting down our computers — we just put them to sleep,” Johnny said. “But there are many users who shut down their computers at night, and they want the software to reactivate when the computer is restarted, so we provided that feature.”

Lockdown is currently looking to add more customization options and even more transparency, allowing users to highlight which apps on their devices are the worst offenders. The company is also focused on furthering the Openly Operated standard.

“Imagine that if, when you’re reading a review on a product, instead of just reviewing its features and UI, there was a dedicated section where people were able to review the security and privacy of it instead of just reading a privacy policy,” Johnny said. “How much safer would that make everybody on the internet?”