Safeguarding your Internet privacy in 14 easy steps

Following S.J.Res.34, it is critical that Internet users everywhere upgrade the measures we take in the interests of privacy and control over our individual data. This is the first installment in a many-part series on Internet privacy and precautions, so please send in your questions on the topic. This list will assist you in minimizing recordable user data and safeguarding against a few kinds of threats. It is inspired by a piece from Mark Daku, one of my professors at McChill University.

Before you begin, you should figure out what your actual vulnerabilities are. If you’re not banking online, you don’t have to worry about your banking information being stolen in anything other than the old-fashioned way (at a vault, with like, real robbers). If you only use the Internet for one or two specific things like cat videos and something equally wasteful, you may not care as much about browser security (unless, of course, you find yourself making exceptions).

Here are some critical pieces of advice floating around with caveats attached!

1. Use HTTPS everywhere.

Hyper Text Transfer Protocol Secure (HTTPS) is the secure version of HTTP, the protocol over which data is sent between your browser and the website that you are connected to. The ‘S’ at the end of HTTPS stands for ‘Secure’. It means all communications between your browser and the website are encrypted. Take HTTPS with a grain of salt; a new browser extension called “Let’s Encrypt” now allows you to input URLs and gain that “secure” green eye. So dangerous phishing sites can project an appearance of being far more secure than they really are.

In any case, download HTTPS Everywhere, the browser extension for Firefox, Chrome, Opera, and installable on Android devices. It’s a collaboration between the Tor Project (we’ll get to that later) and the Electronic Frontier Foundation. If you’re a website operator, you can check their HTTP Everywhere Atlas to see where the HTTPS rules are in effect.

2. Encrypt your e-mails

Your e-mail data is subject to monitoring and sale like that of most free Internet services. The Fourth Amendment of the Constitution (“The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated”) hasn’t been interpreted to protect some people’s emails — say, in the case of employers and employees.

The real-time interception of contents of electronic communication is prohibited under the Wiretap Act, while the Pen Register Act provides protection for the interception of the non-content part of the electronic communication. Once the email is stored on a computer (email server/user computer), it is protected from unauthorized access under the Stored Communications Act (Title II of Electronic Communications Privacy Act). Non-content includes to and from fields, but not the subject field.

Under the provider exception, these laws and others do not apply to “the person or entity providing a wire or electronic communications service.” This means free email providers (Gmail, Yahoo Mail, etc.) can mine users’ emails to personalize contextual advertising. This is a key complaint of ISPs — that private internet companies can monetize this data and they cannot, thereby skewing market competition.

In Mark’s words: “Sending an e-mail across the internet is the equivalent of shouting it out in a football stadium. Sure, it’s loud and there are so many other conversations happening that it seems unlikely that yours will be listened to, but it’s not impossible — and the reality is that security services no longer listen to your conversation, they record all of them, and then go back later and search if they feel the need to. If you’re going to yell in a crowded room, better to yell gibberish. Here is an excellent simple tutorial to get started.”

You can also check out ProtonMail, an encrypted e-mail services based out of Switzerland (those guys know a thing or two privacy). Please feel free to send him — or me — an encrypted test e-mail!

3. Utilize message platforms with caution

Be careful about what you share via messenger services, and not just because they may end up capitalizing on your data. It is very easy for you or someone you talk to to lose a phone, and based on viral Youtube videos of a hedgehog doing it, unlocking them isn’t as difficult as it should be.

Besides, while Facebook Messenger and WhatsApp say they provide end-to-end encryption, but there’s no reason they would necessarily keep your messaging information — or, if they are keeping records of them, your encryption keys — private.

Services such as iMessage are encrypted as well, and have a lot more to lose if their users’ security becomes compromised. That being said, they can and have cooperated with the authorities when subpoena-d for user info. Popular encrypted messaging app Signal cannot even if they wanted to — because they don’t have the encryption keys. That doesn’t mean they aren’t vulnerable to regular phone malware or app issues, or that someone who steals your phone and manages to unlock it can’t take a look-see.

4. Use a password manager

Having the same password for everything is bad. You know that, I know that, Wishbone the dog knew that, but it doesn’t stop people from trying to minimize what they have to remember. Having a short password is bad too.

Hackers were able to use the same credentials from LinkedIn, Adult Friend Finder, and Ashley Madison hacks because people use the same passwords for lots of things. Plus, attacking people’s passwords by brute force is getting easier and easier — by using technology to simply try all the combinations possible, which works especially well on short passwords.

I use OnePassword, but I forgot my OnePassword (not kidding) and need to fix it. I’ll do it today because I cannot justifiably tell you what to do otherwise. The benefits of using a password manager — besides having to remember only one password — include being able to have truly long, random passwords for all of your accounts, and being able to change them easily with a built-in random password generator.

My friend David’s parents use a simple storage system on what’s known as a sheet of paper and keep family passwords by a computer. There’s no promise that someone in your family won’t just… take a picture of it, but it’s more difficult to remotely compromise. I tried this with my family in a special little binder and it ended up shredded within the week, so do what works for you.

5. Use multiple e-mail accounts to keep your data spread out

If you:

1. Don’t want companies or other people to have your real email account where they can bother you about things — or send you e-mail trackers like sales software does
2. Hate spam or are concerned that you might accidentally click on it
3. Don’t want the entirety of your correspondence data logged and sold at once

Then you may want to do one of the following:

1. Designate a specific e-mail account for all the random stuff requiring credentials that you don’t actually use.
2. Use a temporary e-mail address for services requiring e-mail confirmation that you don’t want to be associated. You can use 10minutemail.com, which generates an e-mail address that disappears after 10 minutes. That’s long enough to confirm your account and get started without a trace.
3. Use unlinked Gmail accounts. As Mark explains in his article linked above — “This requires you to pay cash for a SIM card that is used to confirm your Gmail account, and then it requires vigilance to keep this e-mail separate from other aspects of your life. A lot more work, but could be worth the peace of mind.”

6. EBB — Encrypted Browsing, Bitch!

Most people don’t need to do this, but if you are researching some *stuff* you can be completely anonymous by using The Onion Router and Tails. Firefox, Chrome, or other conventional browsers can still betray your physical location and which sites you visit based on what’s being sent to and from your computer, even if hackers can’t read the contents of what’s being sent. Governments or ISPs can block access to a website entirely.

If you need to be anonymous for whatever reason (like if you’re a revolutionary or a journalist or just a creep) then you need to use the Tor network. The Tor network is an internet protocol that bounces your web requests across the world in multiple layers of encryption before your end goal website gets it. Tor also hosts websites (called “onion sites”) that are inaccessible from regular (read: normie) internet. Think political dissident websites (Crowdvoice) to forums for abuse survivors to drug markets (Silk Road) to normal stuff like the 1998 Space Jam website.

But how do I use Tor? It seems complicated.

It kind of is, but get over it. Download the Tor Browser and do not install extensions. It’s slower but that’s because it’s going all the way to the moon (other countries).

Mark says the Tor browser makes you anonymous, but not private. Although your web requests are anonymous, if you are posting on Facebook or sending an email through Gmail, they still know it’s you because you’re logged in. So don’t use stuff you need to log in with real credentials for while you’re on Tor.

FYI, the final connection to your destination website is only encrypted if that site supports HTTPS; just because you’re anonymous doesn’t mean that the final ISP connection to the site can’t be monitored. So most pornography sites are not going to encrypted unless they are Redtube or some other ones that have made the leap.

Also, don’t download stuff — tor nodes (the servers that bounce around your web requests) can be run by regular people and they can attach random junk to your files.

You can download Tor Browser from the official Tor Project site.

The EFF has a great interactive guide for how Tor (as well as HTTPS) protects your browsing. More information about the Tor network can be found on the official page for the Tor Project.

6. Cover up your camera

Your computer must already be compromised for a remote perp to access your camera. Covering up that camera will solve the visible spying, which only really matters if you’re doing exceptionally odd stuff in front of your open computer. It will not resolve the underlying malware problem — nor has much been said about audio.

You can buy a camera slide on Amazon. Take a hot minute and figure out which one works best for you, because you don’t want to discover your laptop won’t shut or something. Hope you’re creeped out.

7. VPNs

If you’re worried about creepy third-party tracking online, you can use free tools to protect yourself. However, the only way to protect your privacy from your ISP is to pay for a VPN. A VPN encrypts and routes your internet traffic through a private network, making it impossible for your ISP to see your browsing activity. The e-mail service I mentioned earlier, ProtonMail, provides ProtonVPN beta for free to all paid ProtonMail users. You can check out their article about finding the best VPN service. There are lots of free ones but the old “you get what you pay for” rule is in full effect here; you do not want a shoddy VPN for free that may lead to other problems in your life.

Enrique Darnes at Forbes says that VPNs should be a normal part of an individual’s Internet use and that you should choose carefully, bearing in mind TorrentFreak’s annual comparative. They state that “a VPN should not just encrypt our data, it should also protect us by not keeping any records.” If you can’t find a VPN with a convenient dearth of records, you can get one from a company that exists in a privacy-protecting legal jurisdiction, like the Netherlands or Germany.

Wired explains how to check whether the VPN keeps logs of user activity. Many privacy-focused VPNs are have straightforward no-log policies because they want it very obvious that if any law enforcement groups wants their cooperation or some records,they can’t even produce them. Wired also says “it is worthwhile to specifically check a company’s Terms of Service to see what it says there about logging and scenarios where it would (or wouldn’t) disclose user information.” That sounds awful, so maybe I’ll start adding that as a service once I actually get somewhere with this publication.

8. Discussing, using, and promoting two-factor authorization

Two-factor authentication requires a user to present multiple forms of identification (answering a question, knowing a password, inputting a code received on a text message etc.) for access. It can be very simple (what was your first dog’s name?) or annoying (please click this link in this one-time email to log in).

Passwords, even long, high-entropy ones are getting less secure by the day. Two-factor authentication makes it more challenging to access an account by using a password in conjunction with a time-sensitive one-time key. The one-time key can either be distributed by a special app or, increasingly, a text message.

Compromising 2FA would either mean physically possessing the device that has the one-time codes, disabling 2FA (social engineering), or discovering a flaw with the 2FA generation method or the implementation. Basically, it would take some work. So get into it.

9. Social engineering. Learn what it is so you can avoid it.

According to Webroot, “social engineering is the art of manipulating people so they give up confidential information. The types of information these criminals are seeking can vary, but…criminals are usually trying to trick you into giving them your passwords or bank information, or access your computer to secretly install malicious software…. giving them control over your computer.” There are many ways to go about this, and one of the most important is called “spearfishing.” If you know me personally, you might remember when I became a spearfish a few years ago when my Gmail account was hacked and told everyone I knew that I was stranded in Spain with no money. A very good friend who was overworked and exhausted at the time actually sent me $900 without thinking. He did not get it back. One day when I have $900 I will give him some of it.

10. Don’t download controversial stuff even though it seems cool

Don’t download terrorist literature; for example, electronic copies of Inspire magazine are often loaded with tracking software by spy agencies and the websites distributing it are monitored.

11. Stop going places

But if you must, don’t travel internationally with any electronic device. Don’t bring removable media. Don’t bring a laptop. Don’t bring a kindle. Don’t bring a laptop. Don’t bring an iPad. Make arrangements to use a computer at your destination. Wipe it when done. (It’s challenging to recover data from a drive that’s been pulverized with a hammer.) Border agents usually have wide authority to search/copy/steal seize/compromise your stuff. Don’t give them the chance.

If you really insist on going to a place, there are a few protective measures you can take; as of April 4th, the ban is subject to expanding to even more countries. Certain aircraft are also being targeted for additional screening upon landing.

As of late March, you can bring the following:

• Smartphones
• DVD players
• Portable gaming systems
• Wearable devices, such as smartwatches and fitness trackers

And you cannot bring the following:

• Tablets
• Laptops
• eReaders
• Anything that measures larger than 16cm x 9.3cm (6.9-inches x 3.66-inches.)

The ACLU has probably the most informative article on whether or not border agents can search your smartphone. If you’re traveling across the border, take note:

If you’ve given Customs and Border Protection agents the password to your device (or if you don’t have one), they might conduct what’s often called a “cursory search” on the spot. They might also download the full contents of your device and save a copy of your data. According to CBP policy from 2009, they are not required to return your device before you leave the airport or other port of entry, and they might choose to send it off for a more thorough “forensic” search. Barring “extenuating circumstances,” they claim the authority to hold onto your device for five days — though “extenuating circumstances” is an undefined term in this context, and this period can be extended by seven-day increments. We’ve received reports of phones being held for weeks or even months.

The Supreme Court ruled in 2014 that law enforcement agents need a warrant to search the smart phone of someone under arrest. Whether or not this is applicable at borders and in airports is now up in the air. What will happen to you depends on your status in the country — check the ACLU’s article above or comment if you think an additional article should cover this.

Here’s how to prepare, directly from the ACLU:

• Travel with as little data and as few devices as possible. The less you’re carrying, the less there is to search. Consider using a travel-only smartphone or laptop that doesn’t contain private or sensitive information. You could also ship your devices to yourself in advance. (Be aware that CBP claims the authority to search international packages so it is best to encrypt any devices that you ship.) Keep in mind that a forensic search of your device will unearth deleted items, metadata, and other files.
• Encrypt devices with strong and unique passwords and shut them down when crossing the border. A good resource on how to do so can be found here.
• Store sensitive data in a secure cloud-storage account. Don’t keep a copy of the data in your physical possession, and disable any apps that connect to cloud-based accounts where you store sensitive communications or files. (There’s no articulated CBP policy on whether agents may click on apps and search data stored in the cloud. While this kind of warrantless search should be well outside the government’s authority at the border, we don’t know how they view this issue.)
• Upload sensitive photos on your camera to your password-protected laptop or a cloud-storage account. Digital cameras don’t offer encrypted storage, so you should consider backing up your photos and deleting them from your camera and reformatting the camera’s memory card.

12. USB drives are a nightmare.

Sometimes they’re laden with malware which will run/install upon insertion, risking essentially any kind of attack involving software. One-third of malware in critical infrastructure came from users’ plugged-in USB drives, so be extra careful about what you plug in.

13. Rubber hose cryptoanalysis

If someone really wants your password/banking data/whatever, they can just hit you with a rubber hose until you give it to them. If someone really wants your compromising text conversations, they’ll steal your friends’ unprotected phones.

14. Remember that biometrics are terrible security

• You leave fingerprints everywhere you go.
• Your fingerprint records can get stolen.
• Technology exists to make fake fingers that match a specific set of prints.
• You can’t change your fingerprints after they’ve been stolen.

Taken together, these facts mean you can get compromised very easily and, once it’s happened, you’ll never be able to use fingerprints as security until you grow new fingers.

That’s it for now. Stay tuned for the next installment exploring what happened with the FCC regulation repeal and what’s to come.