Your Privacy is Worth These Ten Real Steps: It’s YOUR Job to Control Your Data
Your online actions were not private last month, they aren’t private now, and nobody is going to protect you if you don’t do it for yourself.
It’s not about ISPs or search engine companies; it’s about advertisers, it’s about governments, politics, ratings, clicks, time-on-page, and about targeting specific demographics. There is a crowded field of online behavior and demographics mining, but this isn’t a new field, and companies are lined up to find out everything they can about you. There already exist massive databases and analytics which have data related to digital footprints of almost all of us. Search engines have a tremendous data lake and profiles for each user, particularly if those users have been registered, identified, tagged or are using email provided by the engine.
We know our searching habits aren’t private, we know they are not anonymous, and we know it’s not at all difficult to directly associate this with our email. We also know it’s easy to get from pseudonymous emails to our real identities. We might not want to think about any of this, but we are waking up to the fact that we lost control somewhere along the way, and maybe we don’t want the drapes open all the way, all the time. My hope is that causes people to review how their privacy is protected or exploited across all of their digital interactions.
These are ten things you can do, right now, to protect your privacy:
1- Configure the privacy settings on your browser.
This is the easiest step you can take and you may have already done this, but it’s a good idea to refresh yourself on the settings you have selected. Some of the options differ between browsers, and most have descriptions for what each setting allows or prohibits. Autocomplete and predictive loading are one of the tradeoffs you make when it comes to privacy, I turn mine off.
2- Address cookie settings.
Cookies and other stored state information, particularly third-party cookies, help target you for advertising. Make sure your settings reflect the level of privacy you’re expecting. While we’re at it, clear your browser history often, preferably on each browser restart, but that means you also need to restart the browser (or your computer) occasionally.
3- Install Privacy Badger.
The Electronic Frontier Foundation has a tool that will help you determine who is tracking you and by what means, and it will give you the insight to make additional changes if needed. You can download it from here:
4- Update your computer with recent patches.
It’s a pain, but it will help keep you secure and it’s a start in protecting against malware entering your system. While you’re changing your habits, start looking for the HTTPS or the “lock icon” for the web sites you visit; that helps hide the traffic details from intermediate discovery/viewing.
5- Protect your Endpoint
Anti-virus applications are over-rated and over-priced, but, yes, you should probably have one and it should be up-to-date. Once you’re infected at the endpoint, nothing you do to protect privacy from your connection to the internet will make much of a difference. Scan your system regularly — this can (and should) be automated.
6- Privatize Your Networking
Get a VPN service. Seriously. Virtual Private Networks (VPNs) are ways to shield what travels over the wires and over the air to your computer; a VPN encrypts data between your computer and a remote server which can be used to interact on the internet as a proxy for you. I use AirVPN because it lets me select my specific machine based on both throughput and the country (legal jurisdiction) within which it resides.
You can also automate most VPNs to start on system start-up so you don’t have extra steps to take. Finally, you could look for VPNs that let users pay in Bitcoin which is handy for that final level of obfuscation. When selecting VPNs, look at all the devices you use which need privacy protection: computer, tablet, phone, watch, vehicle, television, etc.; select your VPN so that it supports you in each of your environments. Not all VPNs are created equal, they don’t all use proper cipher suites, they use insufficient key lengths and hashing algorithms, etc. — but keeping this at a manageable level for most users, you can get a good idea of the technical security in the following comparison. This chart does a good job of rating different VPNs for your use, but fails to help identify the reasons for concerns with specific VPNs (should you have questions about their rating):
Please be aware of legal restrictions on the use of VPN in different locales, particularly abroad there are serious consequences to using VPNs, and the traffic can be easily identified as encrypted by automated scanning systems.
If you’re extremely concerned about monitoring, it is possible to select multiple intermediate servers, each in different countries, through which to route traffic. It is also possible to select differing VPN providers to further protect and de-identify traffic. Note that with each VPN you add, your performance is going to decrease and things are going to slow down if you’re not careful about proximity and throughput of your VPN servers.
One of the nice things about VPNs is that it protects your email, your browsing, application traffic, anything that travels over the internet ends up getting encrypted and sent through at least one intermediary before rejoining the rest of the world’s traffic. If you don’t think email is where privacy can be violated, ask yourself why you suddenly see bicycle ads on many of the web sites you visit right after you emailed your spouse about wanting a new mountain bike for your birthday.
7- Email and Text Solutions
Stop Using Free Email and Stop Texting. I know we’ve all become accustomed to getting our email for free, I’ve even heard “Pay for email? No way!” Similar to VPNs there are several providers of secure email, and they are worth investigating to determine which is best for your needs. Consider ProtonMail or KolabNow which are both Swiss operations (thus they are protected by Switzerland’s unique laws around privacy) which do not crawl your messages for advertising, nor do they log IP addresses of users.
Both of these encrypt your email and both of these providers also have apps for your mobile devices.
When it comes to SMS and MMS texting, be aware that this is extremely vulnerable to eavesdropping. Use tools like WhatsApp or Signal for sensitive text messages, there’s no excuse not to. (Links below go to the Apple App Store, but these are available for Android devices as well)
8- Make new search/browsing habits
Are you still concerned about privacy? Turn off Javascript in your browser, uninstall plugins for your browser, and in the same breath, I’m going to suggest you install and use the DuckDuckGo search engine.
9- Getting Serious and Using TOR
If you want additional security/privacy, consider using the TOR (The Onion Router) tools or let the TorBrowser do that work for you if all you’re doing is browsing.
This browser will bring you into a network of randomly[1] selected servers which each act to encrypt traffic to the next server and so on until your it exits the TOR network and then traverses the internet quasi-anonymously.
Similar to Privacy Badger discussed in section 4, above, the TorBrowser will also help you identify the sites that are tracking you, and how they are accomplishing this so you can take appropriate action/inaction.
Once you’re using TOR, your actions are fairly anonymous, but one way to make it exceedingly clear to an adversary monitoring your traffic, to a website tracking your browsing, or to advertisers who want to know who you are is to visit and log into your social media account or cloud profile (such as email) in a session you’d otherwise prefer to remain anonymous.
The Dark Web, hidden addressing, and expanded use of TOR is a step beyond what I’m going to cover in this summary; here I am focused more on your privacy/security, but anonymity is a key aspect of interactions in the Dark Web.
10- Overkill
How Much Privacy Do You Need? I say “quasi-anonymously” in the penultimate sentence on the use of TOR, above, because we know the FBI has a way to subvert TOR and track back to entry/exit points to help identify specific users. Let’s be frank though; if your adversary is a nation-state, you need to be far more paranoid than I’m suggesting. If your secrecy, anonymity, security, or privacy is being threatened at this level, my recommendation to you is to abandon electronics. In this situation, any internet-connected device that you use can be compromised to help track/listen/observe you, particularly your phone. Law enforcement have used stingrays to track which phones are in which areas during specific time windows, including public demonstrations, activist meetings, and other similar activities. Your phone literally broadcasts your identity everywhere you go. If you are a journalist or whistleblower, these are things you may need to be considering.
Finally, your phone, your virtual assistants, and anything that can be activated through your voice is listening to everything within range of the microphone. In almost all cases, that voice recording isn’t being analyzed on the device, it’s being sent to a data center for processing… and storage. Some companies have mechanisms where you can go back and listen to and delete these old recordings (e.g. Google[2]), but many do not and most of us don’t know about this because it’s buried inside a 45 page privacy statement, if it’s there at all. If your privacy is important, make sure you use a button-activated voice assist, or, better yet, no voice-assistant at all.
The Fine Print
If your device (laptop, desktop, phone, tablet, watch, etc.) is corrupted, all of the intermediate network protections, each of the steps listed in this article, become useless. It’s for this reason that you are discriminate in what you choose to install on your machine, what monitors your device, and what precautions you are willing to take to protect and manage your security. Ensure that a corporate IT department, jealous spouse, government, university/school, malware developer, or even a curious friend doesn’t have access to install tools like Spector or to allow for tools (e.g. rootkits, and keystroke loggers) to be installed. Software like this has been engineered to be extremely efficient at hiding itself all while providing full access to everything you’ve done (or are doing) to the one eavesdropping. These are tools that can operate and monitor your actions when you’re on the local network, or when you’re connecting from home or on the road; they also work no matter what intermediate steps you are taking to protect yourself online. The best way to prevent this is to simply not give anyone access to your device, but know that some malware can be remotely inserted into the device to provide similar access.
These steps aren’t perfect, and there is no guaranteed anonymity solution, but recognizing that you weren’t anonymous last week and that you’re not anonymous now, will help you further protect your privacy moving forward. Privacy is a right, and just like every other right that you enjoy, you will lose it if you do not exercise it.
— — — — — — — — — — — — — — — — — — —
A network security architect and leader in security research and standards bodies, Brian’s experience includes PKI, blockchains, encryption, algorithm design and analysis, secure coding, governance, networking, device hardening, data protection and satellite communications. Brian holds a B.S.E in Computer Engineering (University of Michigan) and a M.S. in Computer Science (University of Colorado), he has extensive experience in software development and architecture, networking, cloud technologies, web services, development methodologies and has 13 patents pending final approval. Brian also has strong business involvement and holds an M.B.A. in Technical Strategy (University of Colorado) and has led multiple technology organizations in roles including Chief Scientist, CIO and CTO.
Follow Brian on Twitter: @BrianScriber
Image used under license. Attribution: Nick Youngson — http://nyphotographic.com/
[1] Pseudo-randomly
[2] http://www.independent.co.uk/life-style/gadgets-and-tech/news/google-voice-search-records-stores-conversation-people-have-around-their-phones-but-files-can-be-a7059376.html
