Why worry about privacy?

A “simple english” explanation of why we need to worry about online privacy and safety.


The problem of how to keep from being snooped on, tracked or hacked while being online is something we all need to worry about. The reaction I most often get when I bring this up is “I’m not doing anything I want to hide. Why do I care if someone is tracking me online?” or “Why would anyone want to hack me?”

Both of those questions are valid and need to be addressed. But often the replies involve lots of techincal jargon and knowledge about how computer systems work. Explaining to someone who doesn’t yet understand how this works is a very difficult thing to do in the course of one conversation, and the jargon just shuts them down even more.

So I’m going to try and break everything down into simple english and introduce the bare minimum jargon to explain everything. If you have ever asked any of the above two questions and have struggled to find an acceptable answer — read on. Hopefully this will answer a few of your concerns.

Note: Words and phrases that are underlined are links to other webpages with (usually) more information. Clicking on it will open the link in a new tab or window, and you won’t lose this page.


Tracking

Simply put, information that could personally identify you can potentially be sold to any number of third parties without your consent.

Let’s consider a real-world analogy.

You’re in your house, and you need to go out and get some stuff. Let’s say you need to buy eggs and milk at a supermarket, vegetables at the local market, and kitchen equipment at a hardware store.

You leave your house, and drive to the supermarket where there’s a man at the door who asks you what you want to buy. You tell him what you’re there for, make your purchases and leave. As you’re leaving, you notice he’s following you in his car, all the way to the vegetable market. Before you get out of your car to talk to the vendor, the guy following you has already run over to the vendor and has already spoken to him as you approach.


You ask the vendor for some vegetables, and he recommends to you a few that will go wonderfully with omlettes. The guy takes note of what veggies you buy, and follows you to the hardware store and repeats the same procedure as with the vegetable vendor. So by the time you walk into the store, the salesman already has an array of knives lined up that work extra-well with the vegetables you’ve just bought and he throws in an egg-beater as well. You get your stuff, and return home.

So to recap, the guy at the hardware store knew exactly where you’d been since you left your house, without you telling him any of it. The vegetable vendor knew what you bought at the supermarket, also with no consent from you.

Imagine this process repeating itself every time you step out of your house to go anywhere.


This is exactly what happens every time you go online and navigate to any website. When you go to (for example) Twitter’s website, at least one “tracker” hops onto you. This tracker is just a bit of computer code that lives in your web browser. Once you have visitied Twitters’s website, the tracker starts following you around wherever you go onto the internet doing effectively the same thing as the man following you in the car.

Also similar to the man in the car, online tracking also influences what we see on websites that are quite difficult for us end users to understand in any detail.

Companies will often use tracking to collect statistics about things like how long a person stays on a particular page of a website, or how long he spends reading an article. Online vendors like Amazon and Flipkart use trackers to figure out what you’ve been doing on the rest of the web and suggest products to you based on that information.

However, the biggest use of tracking is websites using tracking information to serve you advertisements. Based on your behaviour on other websites online, the advertisements you see on a particular website will change to better “suit you”. The hope is that if you find an ad more appealing, you will more likely click on it. The more clicks an ad generates, the more money it makes for everyone involved.

This behaviour of tracking everyone is worrying because information about our habits and our behaviour is being passed on to several third parties without our consent. The information the tracker passes along goes to various advertisement and analytics companies aren’t protected by any privacy laws and are not guaranteed to be anonymous. Simply put, information that could personally identify you can potentially be sold to any number of third parties without your consent.

There’s a very clear TED talk about how common the practice of tracking one’s online movements are. The person giving the talk (Gary Kovacs) is speaking about a software that is now called Mozilla Lightbeam. It is an addon to the Mozilla Firefox web browser that allows you to visualize what trackers are tracking you over which website. I’m not going into how to install and use it here, but if you watch the TED talk you will get a fair idea of the extent of online tracking. It is truly scary.


Hacking

It’s unlikely our house is going to get burgled, but we still lock the doors at night.

The next thing that bewilders people is “hacking”. Hacking has been portrayed in popular media in different ways for about twenty years now, leaving everyone with only a vague and warped sense of what it means for someone to get “hacked”.

In this article, hacking will mean the following — If someone gains entry into your computer without your permission, and takes or otherwise modifies personal information without your consent.

Without getting into a larger debate about whom to call a hacker and what hacking means, I’ll just leave a disclaimer here that not all hackers are bad, and not all hacking is bad. Hacking is bad when people steal information for personal profit, but there are other kinds of hackers out there about which I will not worry here.


The biggest question that people have when this is brought up is “Why would I have to worry? No one is going to target me, I’m not famous.” This is a fair point, but it misses something fundamental about hacking. Hacking is rarely a personal thing. With nearly a billion people on the internet, it’s far more lucrative to automate the process of hacking.

So what does “automate the process of hacking” even mean? As I mentioned earlier, hacking is someone gaining entry into your computer without your permission. How does one do that? There isn’t any one way to do it, but the general principle is this — Your computer is connected to the internet, and so can be seen by any other computer connected to the internet if you know how to look for it. Once you know how to look for it, you look for weaknesses in the computer software (like Microsoft Windows, or Mac OS or Linux) to see if there’s any way you can fool it into letting you in.

This process is done by writing computer code (often referred to as just “code”). Code is how you instruct the computer to do certain specific things in a specific order, and at the end of your instructions the computer will produce whatever outcome you wanted. Code lets you automate your computer by telling the computer to repeat a certain action N number of times, and then you can forget about it until the computer is done.

So this means you can write a code to look for all the computers running Windows that are connected to the internet, and then keep poking Windows to see if it lets you in, and if it doesn’t then move on. If it does, perform a few further things to keep a record of which computer let you in and how you got in and then move on to new targets.

Read the above few paragraphs again — This means that if you’re connected to the internet, you’re at risk of being “hacked”. This mostly isn’t a problem as long as your computer is up to date, since Windows/Mac/Linux do a good job of keeping people out. But that doesn’t mean we shouldn’t take precautions against it. It’s unlikely our house is going to get burgled, but we still lock the doors at night.


Online security

The first line of defence is your account password.

The next big one is online security. How do you make sure your accounts on different websites don’t get compromised? There are some real horror stories about people have had their whole online lives destroyed.

A more realistic scenario is if a hacker access to a company’s database of email ID’s and passwords — Say someone gets into Facebook (it’s happened before) and steals the list of user email ID’s and passwords. Then it gets pretty easy to pair the right email with the password and gain access to anyone’s account.


The first line of defence is your account password. People often say this, and don’t really give any reasons for why this is important. To understand that, we’ll have to see what happens behind the scenes when you enter your password and login.

I have to use a little jargon here, so I apologize in advance.

Password Hashing

Websites rarely store your passwords exactly as you enter them. If you enter a password “bananaMilkshake” the password that the website will store will be 0e299b308b0f54f631c7366945eba963.

The second string of letters and numbers looks like gibberish, but the original password and the gibberish is related through very specific mathematical function called “hashing”. What hashing does is it converts a sentence of any length (1 letter, 1 word, 10000 words or anything else) into a string of letters and numbers of a fixed length. And given the same input sentence, you will always get the same output string of letters and numbers. So even though the hash shown above looks like gibberish, everytime I input bananaMilkshake, it will show me the same hash. However, it is not reversible. So if I have the hash and I want to find the sentence that was hashed, I cannot “reverse” the hash function.

You can play around with it and see how it works here.

If the above paragraph confused you, the takeaway is this — It is an irreversible process to convert a sentence of any length into a string of letters and numbers of fixed length.

The practice of “hashing” a password is a very powerful security tool. When you enter your password, the website calculates the hash of the password and then stores it rather than storing the actual password. This means that if their list of emails and passwords are stolen, then the attacker will not have the actual passwords but only the hashes of the passwords. And since hashes are irreversible, he can’t directly get the passwords.

But there are ways to get around this. There are lists of passwords that are floating around on the internet, and these lists can be huge (several thousand passwords). The strategy that hackers employ is to grab a whole bunch of these lists, hash all the passwords on the list and compare them to the hashes that they stole. If the hashes match, then they know what the password is.

They also use commonly used dictionary words in different combinations. So in our example, bananaMilkshake is a terrible password because they are both dictionary words. But because the “m” is in uppercase it makes the process of figuring out the hash slightly more difficult.

https://xkcd.com/936/

So a long account password can greatly improve the security of your account. However, it is also very important to use a different password for every website — especially websites that hold financial information (like debit card numbers and bank information). A password manager can help with this (I recommend Keepass) by generating a long string of random letters and numbers for each website. You only have to remember one password — the password to the manager itself. It does the rest of the work for you.

Also, do not use CorrectHorseBatteryStaple as your password. It’s on every list anyone has ever made.

Epilogue

I’ve attempted to explain why it’s important to think about safety and privacy online in as simple a manner as I am able. I’ve written another article explaining specific software that can help with these problems.

If you thought this helped, please share this with anyone you think will be interested! The more people that know about it and do something, the less that organizations like the NSA can get away with blanket spying on everyone.