- By Rob Leslie and Goa Lobaugh - March 28, 2015
In today’s world, digital information is pervasive. Nearly every detail about our lives and our communications is processed, transmitted, and stored digitally in some way. This is both a technical marvel that allows us to share knowledge and ideas in unprecedented ways across boundless distances, and also a challenge to us to ensure the privacy and integrity of the things we choose to share.
As was stated in the movie THRIVE, and in a previous blog on surveillance, and as Edward Snowden’s revelations confirmed, there are some people who want to have access to all our personal digital information and eavesdrop on all our conversations, and they have the resources and are willing to go to great lengths to do it. Ostensibly they want to do this so they can protect us from others who would harm us, but in doing so they also disrespect us by violating our privacy and in some cases violating the integrity of our communications without our permission.
In a thriving world, it is our responsibility to protect the privacy and integrity of our own digital information, just as we take steps to protect our physical property from thieves, vandals, or prying eyes. As with physical security, there are a variety of threats to our digital information, and accordingly a variety of tools we can use to mitigate those threats. Technology and policy are both moving targets, so it is important to stay vigilant in order to keep current with best practices. Below are some of the best practices we’ve found to secure our digital information.
Threats to Our Digital Information
In THRIVE, it was said that “every phone call and email we send is collected and archived, and can be inspected at any time.” Snowden explained that this wholesale collection of information is not necessarily reviewed immediately or used to build dossiers on specific people, but rather is archived in long-term storage that can be queried at any time in the future.
Snowden also showed a variety of the methods used to collect this information, from wiretapping various Internet connection points, to working directly with technology companies that have access to information, to interdicting the shipment of hardware and implanting custom software that will aid in the collection, and many others. While some of these methods are targeted at specific individuals or groups, others are not. The threats to our digital information, then, can vary depending on who has it, and how badly someone else wants to get it.
The fact that some technology companies are so easily willing to release the information entrusted to them shows us the value of choosing the companies we share our information with, reviewing the privacy policies of those companies, and of carefully selecting the information we ultimately share. This is of course easier said than done, and in many cases we simply want the service more than we want to hassle over finding an alternative, if there even is one. Clearly, few enjoy reading privacy policies or terms and conditions, even though they form an integral part of the agreement between you and the company providing you a service, and often reveal the level of respect you can expect the company to have for you and your personal information.
There are, of course, threats beyond these. Some people are interested in obtaining your personal information or intercepting your communications in order to contact and persuade you to buy their products, or to trick and defraud you. Other people are interested in gaining control over your computers and will attempt to spread malware (in the form of a computer virus or rootkit) so they can use your hardware and Internet connection for their own purposes, including sending spam, launching denial-of-service attacks against others, capturing keystrokes and passwords, mining or stealing bitcoin, collecting all of the personal information on your computer, or just trying to prevent you from copying a CD.
You may also have personal adversaries that are interested in you or your communications for some reason—maybe a competitor, a jealous lover, a paid troll, or a rogue actor intent on sabotaging your inventions or perhaps just your point of view. There are many reasons to want to protect the privacy and integrity of your personal information. Even if you do not feel personally at risk, it is useful to recognize the levels of surveillance that are happening. The 2012 National Defense Authorization Act made it illegal and punishable by imprisonment with no access to legal defense to speak out against government policies, and recently a report funded by the Department of Homeland Security named sovereign individuals as the number one domestic threat in America. Awareness of this is an important step in taking responsibility to stop it.
Finally, and perhaps most importantly, there are threats to our digital information in the form of public policy decisions. Some people would like to make it illegal for anyone to use encryption, and fear a world in which encryption prevents them from accessing information they are not a party to. Others would like to force all companies to give up information about their users. Still others might try to use so-called “net neutrality” regulations as a Trojan horse to impose additional surveillance. Vigilance is essential to keep what little privacy we do have from disappearing completely.
Best Practices for Securing Digital Information
The good news is that there are concrete things we can still do to improve our personal digital security. The very things that threaten our digital information have also motivated privacy-conscious individuals and companies to differentiate themselves by developing and offering products and services with high standards for privacy and security. Organizations like the Electronic Frontier Foundation and Thrive, and people like Snowden, Laura Poitras, Glenn Greenwald, and Julian Assange as well as others have brought the issue into mainstream discussions where we have an opportunity to influence and shift belief systems toward a world in which no one’s privacy is violated against their will.
No solution is 100% guaranteed, and all require some work to employ. The first and easiest thing you can do is to be mindful of what you agree to, and the information you share in the first place. You may be surprised by the amount of privacy you agree to give up in exchange for the services some companies and apps offer to provide, and might want to seek alternatives when the terms feel unacceptable to you.
The next thing you can do is to use encryption wherever possible. Snowden informs us that when implemented and used properly, encryption can help secure information against practically all known forms of eavesdropping and tampering. That’s a big help, but also a big condition—encryption is fundamentally complex, and easy to get wrong. There is even speculation that some cryptographic algorithms may have been deliberately and surreptitiously weakened to reduce their effectiveness. It’s also important to realize that even if implemented and used properly, encryption is not a panacea. For example, the fact that you used encryption may be utterly obvious to outside observers (and attract their interest as a result), as may be the source, destination, size, or frequency of your messages or data. Furthermore, encryption can only ensure privacy if performed in an environment that has not already been compromised. A computer virus, or other malware disguised as an otherwise useful app, might still be eavesdropping on the information you’re trying to encrypt. Even so, encryption is the best option we have when we want to ensure our privacy.
Finally, we believe it is important for us all to speak up about the importance of digital security and the violations caused by misguided public policy. Together we can make it clear that it is not acceptable to spy on, intercept, tamper with, or misuse the private communications and personal information of others, and we can support the pioneering efforts of those who are both developing solutions and taking on the public policy issues.
Tools and Technology Tips
Here is some specific advice on the kinds of tools available to help secure your digital privacy:
OTR stands for “Off-the-Record Messaging” and is an encryption protocol made specially for instant messaging. It provides “deniable authentication” which allows you to be sure of the authenticity of the messages you receive from the other party in a way that can’t be proved to anyone else.
There are several reasonably priced, free, or subscription apps that use OTR, including TextSecure for Android, ChatSecure for iOS and Android, and Jitsi for Windows, Mac, and Linux, among many others.
Silent Circle is a paid service that offers a suite of tools for state of the art encryption for text, as well as voice and video communications. Phil Zimmermann, a pioneer in the field and creator of PGP and ZRTP, is one of their developers.
The Silent Circle source code, as well as TextSecure is available for review on GitHub, adding another layer of protection with the transparency of their system, increasing the likelihood of vulnerabilities being exposed and patched quickly.
The folks at Silent Circle have also partnered with a smartphone manufacturer to create the Blackphone, an entire smartphone built for secure communications. It includes its own privacy focused operating system, PrivatOS, which prohibits backdoor access, and other common hacks.
Online Searching and Browsing
Here are some tips to improve your online privacy:
Connect to sites using HTTPS whenever possible (e.g. using HTTPS Everywhere), and always when transferring personal information. HTTPS refers to a standard for encrypting communications with web servers, also known as TLS or SSL. (HTTPS imposes certain costs on web servers to support it, so not all do. Some sites, including our own at Thrive, use HTTPS when submitting or transferring sensitive personal information.)
Use Tor when you want or need to browse the web in complete anonymity.
For additional privacy (especially when traveling), use Tails to start almost any computer from portable media and leave no trace when you are done.
If you regularly communicate with colleagues in multiple locations, consider setting up a virtual private network (VPN) to encrypt all communications between the sites using OpenVPN or IPsec. This is an advanced but effective technique for taking direct responsibility over the privacy of your communications. Some commercial services also offer VPN tunnels you can use to connect privately to the Internet.
Probably the most widely used encryption standard for email is PGP (also GPG) which can be used both to sign and encrypt messages. PGP relies on a decentralized “web of trust” to provide confidence that the key you use to encrypt messages to someone (or to verify the signatures of someone) actually belongs to the person in question, and is not a decoy or forgery. In practice this usually means meeting in person once to verify the other person’s key fingerprint, or relying on the judgment of others you trust who have directly or indirectly confirmed this themselves.
Unless your computer is never connected to the Internet, there are always risks to the information stored on it. Often the worst risks come from trusting software of questionable origin — for example, free apps that you can download from the Internet. While operating systems are getting better at insulating your private information (like your address book contacts and your calendar) from random apps and require your permission before allowing access, there may still be loopholes. It is always better to err on the side of caution by not running software you don’t trust completely. This is why it is good advice never to open email attachments you don’t recognize or from people you don’t know, and also why open source software is preferable to closed-source: you benefit when the software source code can be reviewed for integrity by anyone.
It’s worth noting that any time you are asked to enter an administrative password on your computer, you are essentially giving the app making the request complete and unrestricted access to do anything with your computer; consider whether you really trust the app in question before granting such permission.
Assuming you trust your computer and all the software it runs well enough not to be compromised, here are some tools you can use to encrypt your files:
Mac: Encrypt your entire startup disk with FileVault (System Preferences… > Security & Privacy > FileVault), or create an encrypted image for a smaller set of files using Disk Utility. In recent versions of OS X, you can also use Disk Utility to encrypt an external disk (see Help > Disk Utility Help for details).
Windows: Until it was discontinued last year, TrueCrypt was a popular option for encrypting files on Windows. VeraCrypt and CipherShed have been identified as current alternatives. Some recent versions of Windows also include built-in encryption facilities, and Windows 8.1 may automatically encrypt everything on your hard drive by default.
Any time you rely on encryption, it is critical to use a good passphrase, or the effort will be for naught. It turns out this is not as easy as you might think. Fortunately, we can recommend a simple and reliable technique to generate extremely secure passphrases.
While the ubiquity of “cloud” services like Dropbox, Google Docs, or iCloud makes them attractive and convenient, it’s important to realize that we give up several layers of control (both physical and digital) when we use these services. Be conscious of the power you give away to the cloud operators, and understand their policies. If privacy is essential, encrypt your files before storing them in the cloud, or consider using a service with higher standards for privacy.
Be aware that many devices today want to connect to the “cloud” to store and retrieve data, whether they are mobile phones, tablets, game systems, “smart” TVs, or other “smart” appliances. Often this data contains personal information about you, even a recording of your voice if you make requests that way. It may be disconcerting to realize the TV in your living room may be listening to you and sending what it hears to a remote third party, so if this bothers you, consider turning such features off if you can, or vote with your wallet and don’t purchase devices with these capabilities. Also let the companies know that you chose not to purchase their device for this reason.
VIDEO: Documentary film — Terms and Conditions May Apply
VIDEO: Jacob Appelbaum & Laura Poitras — Reconstructing narratives
Privacy Project — Blackphone
The Electronic Frontier Foundation is a staunch advocate of digital civil liberties, including personal privacy.
Bruce Schneier is a well-known security researcher who has had direct access to the Snowden documents. (See a recent interview he gave after the release of his latest book, Data and Goliath; you can also read an excerpt from the book.) He offers good analyses of a wide range of security issues, but also tends to endorse collectivist (violating individual rights for the “good of the group”) solutions to the problems he identifies.
Here’s our challenge to you: can you identify better solutions that also adhere to the principle of non-violation?