Encryption and Privacy - What I’m Using
Are we to blame for this stuff not being easier to use?
Can you imagine if an email program shipped today without a “reply all” feature? Or a browser shipping without tabs? It’s a crazy prospect because those things are so frequently used, to not include them would ensure instant death for this new software. I’ve often complained publicly that privacy and encryption tools aren’t thought to be just as crucial, and expressed some annoyance that developers don’t consider them mandatory. Afterall, if these options were baked in and simple people would use them all the time, right? Or at least much more frequently. Recently a friend threw this back at me and asked if we, all of us, are not to blame for these things having a low priority because we neither use them regularly nor demand their inclusion in our software?
I initially objected to this idea, but the more I thought about it the more it rang true. Saying “it’s too hard to use so I’m not going to bother using it” doesn’t provide any motivation for people to make it easier because hell, people aren’t using them anyway. On the other hand if people used these things regularly and “how hard it is” became a common gripe, then making it easier would suddenly be very attractive. Looking at it this way, maybe we really do only have ourselves to blame that these technologies and assurances aren’t ubiqitus. And when faced with a realization like that, I always feel like I have to at least try.
So I spent a few days looking back over the tools I’ve used in the past, the tools I want to use now and bringing things a bit more up to date. There’s always a balance between convenience and usefulness because I know myself and if something is a pain in the ass I’ll eventually stop using it. So one of my main criteria here is that is has to be easy to use, even if there are a few hoops to jump through in the initial set up stages. I’m a Mac users and do a lot of my work in the browser so I have a preference for tools that “just work.”
As I have these conversations with others from time to time, I thought I’d share what I found and what I implemented so that perhaps others might find something useful in the mix. I don’t pretend to be an expert here and welcome suggestions for improvement.
TOR [download] - This as the low hanging fruit of internet privacy. Everyone should be running Tor all the time. Tor doesn’t so much hide what you do on line as it scatters the breadcrumbs you leave all over the place making it incredibly difficult to trace traffic back to individual users –and the more people who use Tor the better it works. If you read TMZ on your laptop while using the wifi in a coffee shop, snooping eyes would be able to determine that someone at the coffee shop wanted the latest celebrity gossip, but it would be hard to pinpoint exactly who. For many years I complained that Tor was too hard to install and use, and that seems to be completely corrected with the tor bundle. The bundle includes Vidalia (which is the heart of Tor) and the Tor Browser which is a preconfigured version of Firefox designed to maximize your browsing privacy. Personally I find Tor Browser to be too restrictive for what I want to do online and how I want to do it, but I run Vidalia religiously and hope that what I lose by not using Tor Browser is covered by some of the other stuff I have installed.
That said, whatever browser you are using can be a bit more private simply by making sure to install these plugins which help limit/block collection of information about you:
I also changed my default search engine in the browser from Google to DuckDuckGo which you can easily do in the settings. Most search engines keep records of all your search requests and can tie them back to you, DuckDuckGo doesn’t keep any logs at all. It’s a small thing, but it’s one more for the arsenal.
For mobile browsing, Onion Browser on iOS routes all your web traffic through Tor as well, though it’s slow as all get out which might make it a deal killer for many people who need speed on their mobile devices.
VPN - A virtual private network provides something of a private tunnel between you and whatever you are accessing on the web, shielding it from prying eyes along the way. Back at that coffee shop, if you’d been running a VPN only you and TMZ would know your secret - the coffee shop, their ISP and everyone in between would only see traffic between you and the VPN, without knowing what any of it was.
My favorite VPN that I’ve used for years is privateinternetaccess. It’s reasonably priced and works like a charm, all the time, from everywhere. It also has the bonus of having iOS/mobile support so that you can set it up on your iPhone/android device as well.
I’m also quite fond of iPreditor though admittedly I’m biased towards anything created by the team behind TPB. I don’t know if there is any value in doubling up on VPNs, but I do it from time to time.
This has always been the stumbling block for me. Setting up PGP/GPG was near impossible without hours of work, required the use of standalone apps and there was very little payoff since no one else was using it. Or relatively few people away. Recently I discovered the mailvelope plug in for Chrome and it’s a dream come true. It painlessly adds encryption options to your browser for web mail (such as gmail) and makes super easy to use. It’s for Chrome only at the moment (though they have a beta for Firefox on Github) though I’ve heard WebPG is does the same thing for Firefox, however I haven’t tried it.
Mailvelope provides a lot of tools right in the browser and is based on OpenPGP, but I installed the macGPG kit as well which I’ve found to be a little more robust and didn’t see any problem with using both. [Update: GPGtools 2 was just released and pairs perfectly with OSX Mail.app]
Last year Google started alerting users if their accounts were the target of State Sponsored attacks, and shortly there after I and a few people I work with got notices alerting us to just that fact. While I’m not ready to move away from gmail for most things, I thought it might be prudent to have a backup plan as well and I registered for an email account with Riseup. This might be a bit more than most people need or are interested in, but I figured why not?
Adium [download] - A confusing things for a lot of people who use Google’s in browser chat is that taking it “off the record” just means that Google doesn’t store the log in your email. It’s not really any more secure. For chat, even with gchat, I use a client called adium and religiously use the built in OTR option. This is true off the record chat encryption and ensures that no one between you and the person you are talking to can read along.
This isn’t everything, but it’s some things and I feel like, I hope anyway, that by using these things and encouraging others too as well, together we’ll help popularize them and encourage developers to make them simpler, and more often built in. This isn’t the end of the conversation by a long shot, it’s barely the beginning, but at least it is a beginning.
I very much welcome feedback on this set up (as I’m sure it’s not perfect), as well as suggestions and modifications as well. I know that it doesn’t matter how good 99% of your set up is if 1% fails, but this experiment isn’t really about making a 100% secure system as it is just integrating some of these technologies into everyday use to make them more common. Thanks for reading.
• The Atlantic: The Irrationality of Giving Up This Much Liberty to Fight Terror
• Thought Crime: We Should All Have Something To Hide
•Daily Kos: Don’t Even Think Of Using Encryption Software To Escape NSA Scrutiny