Tag Archives: NSA

Protect Your Privacy

encryptedLast month I shared my concern about our diminishing privacy. Now I hope to share some ideas about how you can protect yourself. The key is encryption. Below I’ll give practical steps that you can take. I’ll cover a lot of different areas, I recommend doing as much of this as you’re comfortable with. The strategy is to encrypt everything. Most of these are easy to implement, so regardless of your background or technical ability you’ll be able to make a difference. The goal here is to become more secure in your daily life.

Connection
Your connection to the web should always be secure, which means enabling WPA2 encryption on your router at home and avoiding public networks. If you do need to surf on public wifi (coffee shops, airports, etc) then I strongly recommend that you take precautions to protect yourself. Disable sharing, turn on your firewall and use a VPN. I’ve used OpenVPN while traveling and I loved it. There are plenty of VPN services available. Protip, the Premium version of Disconnect blocks malware and is a VPN as well.

Websites
The best option here would be to avoid the companies known to have leaked to the NSA, but I’ll concede that isn’t realistic. Fortunately you have options. First, get the HTTPS Everywhere plugin for your browser and turn it on. Second, try DuckDuckGo or StartPage instead of Google, Bing or Yahoo.

Block ads & tracking scripts
Start with the simple, enable do not track within your browsers. Next, get the Disconnect browser plugin and configure it to block your browser from responding to requests. Finally, get Ad Block Plus and turn it on.

Encrypt your computer
This one used to be a challenge, but recently operating systems have appropriately taken over and now its a pretty straight forward task. For Windows you’ll enable BitLocker. For OS X you’ll turn on FileVault. Both of these are robust, well supported and easy to turn on. Just don’t forget your password. There are options for Linux as well, but my guess is that if you’re using Linux you don’t need my help.

Encrypt your data in the cloud
If you use a cloud storage service like Dropbox, Google Drive, iCloud or Box, your connection may be secure but if your files are unencrypted than anyone that gains access to those services has your pictures & files. These services have become a target for precisely this reason. There are a couple of options. If you already have files stored in one of the above services, you can use Boxcryptor or Viivo to encrypt what’s already there. These are freemium services so there’s a free option that will work for most, and a subscription option for more advanced features. They support most storage providers and most platforms, which makes them a great option. The next level would be choosing SpiderOak or Tresorit, which are zero-knowledge, secure cloud storage services. They both offer a free plan and modest fees for increased storage.

Encrypt your phone
Your phone goes everywhere with you. If it is lost or stolen, all of your data is ripe for the picking. Passwords aren’t enough to keep people out, you need to encrypt it so that the data is hidden. The good news is that it’s simple. Android, iPhone & Windows Phone each have native tools to easily enable this feature. In fact, for these devices phone encryption is just a setting.

Secure Email
This is the trickiest one of all. Until recently encrypted email has been challenging enough that for most people it wasn’t worth the effort. It’s also, in my opinion, the most important. Your email tells just about everything there is to know about you in one spot. Your friends, your interests, your calendar updates, where you bank, and more. This really could be its own series of blog posts, but my goal here is to keep things simple. For Gmail, Yahoo & Hotmail, you want Mailvelope, which is a browser plugin for Firefox or Chrome that simplifies the steps involved in PGP encryption. A better option would be to switch to a free secure email provider like ProtonMail or Tutanota. These services handle end-to-end encryption for you.

If you take these steps, you’ll both protect yourself from being a target for hacking, and protect your identity while online. Without the keys to decrypt it, it just looks like static or junk data. In fact, it IS junk data.

I’ve covered these topics pretty quickly. If you’d like to know more, I’d encourage you to do some investigating and educate yourself.

Privacy

Privacy is not a crime

Image by Jürgen Telkmann via Flickr

A couple of recent events have gotten me thinking about privacy. More specifically, it’s the lack of privacy that has captured my attention. The web has now been ubiquitous for the better part of a decade. Companies earn staggering sums of money making the web an awesome experience for us. And they have, most adults I know have at least 3 devices with constant internet access. The nasty down side is that everything we do online is traceable. You would be surprised by how little data is required to uniquely identify a person, but that’s no problem because our devices betray quite a bit about us.

None of this is new, the fact that companies and the NSA track our activities has been known for 10 years or more. The two things that have struck me recently are that more companies are joining this bandwagon, and there is no way to opt out.

This summer the news lit up with stories about Windows 10 spying on you, then slipped user tracking tools into Windows 7 & 8 as well. Spotify raised quite a ruckus with an updated privacy policy enabling them to collect just about everything on your phone, pictures, location (GPS data), Facebook friends, etc. And in June Uber revealed that their mobile app could continue to monitor your location even after you exit the app.

It’s impossible to opt out of this tracking. None of us are immune from this privacy invasion. If you surf the web, if you have a cell phone, then you are sharing data about your habits and interests with companies and the government. Google & Facebook know you individually, whether or not you have an account with those services. Google’s free analytics service is used on half of the top million domains, and Facebook’s like or share buttons are present on more than 13 million websites. If you do have an account with those companies, they know a lot more about you, but don’t be fooled, they know your habits either way. The only way to avoid them is to not use the phone or surf the web.

We also have no control over what happens with this data about us. Major cell phone carriers are sharing the content, not just meta data but the actual conversations, with the NSA. There are reports from reputable journalists indicating that up to 50 companies are willingly supplying customer data to government agencies. The net effect is that the NSA collects nearly everything you do online, without user consent or a warrant.

Those are examples of the companies complying, but something this valuable is definitely a target for theft. Consider the Ashley Madison breach, last month hackers stole then released the full Ashley Madison database, including personal details. Whether or not you like the site or agree with its business model, enough data was shared about its customers that all of them are now susceptible to identity fraud. Think about that. Names, email addresses, credit card info, transaction data. These breaches aren’t limited to anonymous criminals though, the NSA is all to happy to steal data as well. They’ve stolen data in bulk from Google, Yahoo, Facebook and AT&T that we know of. Again, this is without the consent of the companies or a warrant.

Apart from the personal intrusion, though, how can you have a true democracy when everyone is being watched? We need to be free to explore and express ideas, to argue and debate, without concern for third party misinterpretation or intervention. Privacy is a means to democracy. We currently do not have this freedom, at least not via phone, email or social network. I know of at least two websites that have been forcibly shut down, secure email provider Lavabit and the social legal site Groklaw. I don’t know anything about why these sites shut down other than what’s in the news, but I somehow doubt that the owners of either website feel very free. I do know that Groklaw was a community where open source software advocates and attorneys collaborated to help one another. These heavy handed tactics discourage civic participation and sharing of ideas.

The American public deserves to know what its leaders and government are up to, both at home and abroad. Citizens cannot consent to the importance or effectiveness of any program they don’t know about. There is inherent value in citizens knowing their government’s activities and being able to form judgments about public policy. I do understand that in global politics governments need to spy on one another. That the government do this to its own people and then try to cover it up damages the relationship between citizens and their government.

I find it absolutely chilling that companies and governments have colluded to eradicate our privacy. The private sector figured out how profitable it is to offer free services and sell data about us, and the government figured out how to capture that data and use it for their own purposes. The result is that a lot of people I’ve never met and have no reason to trust know my interests, habits, background, and what I look like. They know these things about you, too. And none of us have any voice in what they choose to do with that information. It’s horrifying.

I don’t know that its possible to fully protect ourselves from this, but there are some things we can do to protect ourselves. I’ll share those ideas in a separate post.

I Hate Google

I have a love-hate relationship with Google. This is a continuation of a blog thread that I started a few years ago. The first part was I Love Google. While some of the products have changed, I still stand by those notes. These notes are true as well. I’ll finish this series with a part 3 on my takaways from these viewpoints within the next few months.

The Google-Plex

The Google-Plex (Photo credit: Wikipedia)

My issue with Google comes down to data collection. Most of Google’s services are free, which means that the product being sold is you. They collect everything that they can about you, and use that information to put together effective marketing campaigns. My issue is that they know a TON about all of us. All of their clever services are designed to keep us using their products so that they can market to us. But, actually, you don’t have to use their services in order to be known by them.

We all know about search, Gmail, maps, drive (aka documents), and their other popular servers. But even if you never used any of those, they have a whole slew of services that they can use to track you. Lets take a look at a few of them. I’ll give a brief description of each, because my point is not to introduce to you new products. I plan to tell you how these collect data about you.

Analytics – Tracks visitors to any website.

Fonts – Quick & easy way for you to include stylish fonts on any web page.

AdSense – Contextual advertising on your website.

Maps – Mapping tool.

DNS – Public DNS servers.

There are literally dozens of others, but this is enough to make my point. Each of these services makes it possible for Google to track you without you ever having to visit their website. Millions of website owners use Google Analytics. If you visit one of those sites, Google sees your visit. They don’t literally know its YOU, but the fact that someone on your computer, from your city, at this time gets recorded. Google Fonts and AdSense are the same, if you visit a site using one of those tools, Google tracks your visit.

So why should you care?

A public company, accountable to shareholders, is collecting data about you, building a profile on you and your habits. If you ever create a Google account (Gmail, Google+, AdWords, etc.) they tie your search history and surfing patterns together in your profile. They can connect all of the sites you’ve visited with all of the searches you’ve made. How do we know? In the spring of 2012 they updated their privacy policy and terms of service to make this possible. From their blog:

…if you’re signed in, we may combine information you’ve provided from one service with information from other services…

Let that sink in for a moment. Think about all of the sites you’ve visited over the past six or eight years. This profile, combining your search history and all of the sites you’ve visited, definitely is uniquely identifiable. This idea actually came from Steve Jobs, while he was an adviser to Google executives. My source article is no longer available, but Jobs is reported to have said something along the lines of:

You have so many products spanning several services: Search, GMail, YouTube, Maps etc. – why not unite them all under a fluid user experience to both you and your users benefit?

With this much data in a single profile, it is absolutely possible to distinguish you from your neighbor. Think about all of the searches that you’ve made. What story does that tell about you?

Your profile says a lot about you, which makes it pretty valuable. And it can be used in all sorts of ways that you never intended. First, your profile is a target for the Government. This is not new at all. In fact, Google has fought this fight long enough that they have a well defined process for handling government subpoenas. This actually came up again this week, Google is one of several internet companies being mined for data by the NSA and FBI.

The government isn’t the only party interested in your profile though. In 2010 a Google engineer used his permissions to access user accounts and spy on teens. Talk about creepy! Google even issued a statement acknowledging this. And what was the outcome? He was fired.

Google has also been hacked. In December of 2009 a Chinese group hacked into Google to gain access to the Gmail accounts of human activists, as well as companies in the technology, financial and defense sectors. I can’t tell what the outcome of this attack was, but the investigation is apparently ongoing.

To be fair, Google isn’t the only company collecting data about us. Indeed, that would be a long list. Facebook, Yahoo!, Bing and Twitter come to mind instantly. Those are all big companies, there are certainly dozens (if not hundreds) of small companies doing the same thing. Google stands out.