Privacy … NOW!

Your pragmatic field manual to privacy … NOW!

The Problem

I had a conversation recently with a very intelligent person whom I respect greatly and has deep knowledge of encryption and privacy-enhancing technology (PETs). We were discussing the idea of digital privacy in the modern age during a dinner meeting and she stated sardonically, “Privacy’s dead.” I tended to agree.

Over the past few weeks as I have socialized in my industry, continued to study and research the various topics I am interested in, and walked around conferences throughout the country, I gave deeper thought to this topic. Perhaps it was inspired by conversations with industry friends about the notion, or perhaps it was inspired by my listening to Bitcoin Privacy & OpSec, or perhaps it was inspired by the small army of large-font-imprinted-on-plain-black-hat clad evangelists wandering around at crypto conferences, or perhaps a combination of the above.

Regardless, I came to the firm realization that Privacy is NOT dead …

It’s just unreasonably difficult to ensure internet privacy for the average person.

And now, I realize, that my very intelligent and knowledgeable colleague is more ‘complacent’ than ‘right’ when it comes to this assertion. Though I don’t blame her. Maintaining any substantial degree of privacy whether it be digital or not, is a difficult, inconvenient, time consuming and often expensive task.

“Privacy is the power to selectively reveal oneself to the world” — A Cypherpunk’s Manifesto

The Good News:

The notion of data self-sovereignty and digital privacy have become mainstream discourse in many circles due to the increasing awareness for encryption-based technologies over the past several decades. Most notably, this ethos was brought to mainstream awareness over time by the Cypherpunk community and memorialized by Eric Hughes’ A Cypherpunk’s Manifesto. So much so, that there are now broad communities, mature projects, dedicated teams and noble companies committed to helping individuals (re)claim some degree of privacy (this is a good thing!).

“So What Can I Do?”

My interest in this topic and path to improved privacy is a journey (and one that I am still on), as I imagine it is for most. Ultimately, I’m hoping to provide a ‘fast start’ guide to Privacy NOW! for the average Joe or Jane looking to enhance their degree of internet privacy and “more selectively reveal themselves to the world”. Below is a list of tools that may (assuming, like any tool, if used correctly) help contribute to improved privacy and, I hope, require less time, energy and inspection than it has taken me. Note: This is not, by any means, an extensive list. Rather, a ‘jumping off point’ based on ease of use. I do not officially endorse nor have any financial or commercial relationships with any of the below-referenced organizations.

Browsers — tools like device fingerprinting and cookies embedded in standard browsers collect extensive data on your browsing activity and share that with third parties such as advertisers and service providers.

• Brave — An open-source browser built on top of Chromium (an open-source version of the Chrome browser)
  Benefits/Challenges of Tool — Brave does not collect any data about your online activity. There is also a neat incentive mechanism through Basic Attention Token (BAT) rewards aimed to get around the advertising economy of traditional browsers. On the other hand, the browser has limited/poor plugin support that many users may view as essential to their browsing experience.
• Tor Browser — a free and open-source software for enabling anonymous communication. The name is derived from an acronym for the original software project name “The Onion Project”
  Benefits/Challenges of Tool — Tor encrypts and bounces internet users’ and websites’ traffic through “relays” run by thousands of volunteers around the world, making it extremely hard for anyone to identify the source of the information or the location of the user. Unfortunately, Tor browser also blocks many plugins like javascript that can render certain (many) websites unusable.

Email — where to begin? Email can be compromised on your device, on your (or someone else’s) network, on the servers themselves, and on the recipients’ device or network. Further, these compromises can occur by a third party volunteering the forfeit of your data and don’t necessarily require unauthorized access by a bad actor, for example.

• ProtonMail — ProtonMail offers free, encrypted email that doesn’t require personal information to create an account. Nor does PM maintain IP logs that can link you personally to an account.
  Benefits/Challenges of Tool — A few concerns to be aware of, however: subject lines not encrypted, utilizes phone number verification (note secure), and funded in part by government entities.

Messaging — Exposed plain text, messaging habit analysis (even based on encrypted messages), and back-door decryption are all reasons to consider privacy-enhancing messaging app. While not perfect, there are some decent options out there.

• Signal — recently having received a $50mm cash infusion, Signal has ambitious plans to massively expand its user base.
  Benefits/Challenges of Tool — widely considered to be the most ‘secure private messaging app’, Signal offers valuable features like disappearing messages, although the UI can be crowded with unwanted notifications and there have been instances of updates to the software that triggered unwanted behavior in the app.
• Pidgin — a multi-protocol instant messenger that allows users to log into numerous accounts simultaneously.
  Benefits/Challenges of Tool — Pidgin is most beneficial for heavy communications users although VoIP functionality is limited and passwords are stored in plain text (eek!)

Cloud Storage — there are many concerns with cloud storage that ultimately boil down to the fact that someone else is holding your data. Potential issues and attack vectors include (but are not limited to): shared servers, lack of backup, data leakage, rogue devices, API and storage gateways and key management (not your keys not your data!)

• Tresorit — Primarily subject to Swiss jurisdiction (privacy friendly), Tresorit offers store, sync and share services from the cloud.
  Benefits/Challenges of Tool — end-to-end encryption, zero-knowledge file access, and client-side protections offer a strong degree of security and privacy. Ultimately though, the cloud is the cloud and when you use OPP (other people’s products) you are not in control of your data.

Password Managers — challenges with password managers include single points of failure, vulnerabilities due to cloud architecture and sync issues across multiple devices. Using a password manager is an absolute best practice but typically there is a compromise between security and usability.

• KeePass — an opensource password store, is effective but designed for utility and offers a piss poor user interface.
• LastPass — criticized for being cloud-based and not opensource, I am listing here because LastPass offers a relatively good user experience and enables multi-device syncing as well as compatibility with a broad selection of hardware wallets for multi-factor authentication. It is a pragmatic way to get started.

Currencies — without going down the cryptocurrency rabbit hole about what exactly constitutes a currency, a few options that are focused on privacy are listed below, with a great, more detailed summary HERE. Across all, the commercial feasibility and mainstream usability of these technologies are still up for debate and therefore may be viewed as a disadvantage.

• Monero — uses multiple ‘layers’ of privacy to help ensure the anonymity of users on the network. Ultimately the addresses of both the sender and receiver are kept private on the ledger (a hard-fork of Bytecoin) through the use of ‘stealth transactions’, ‘ring signatures’ and ‘ring confidential transactions’.
• Zcash — created as an alternative to Bitcoin, Zcash uses advanced cryptographic techniques (zk-SNARK and ZSL) to produce a ‘shielded-address’ approach to maintain privacy of transactions and anonymity of users.
• Dash — not created with the sole purpose of privacy, the benefit of Dash is that supports high transaction volumes and therefore is more pragmatic for payments-based use cases. Dash leverages the CoinJoin anonymization strategy to protect the privacy of its users.

And, finally … encrypt all your devices people! Again, a best practice.

HONORABLE MENTIONS: because this post is just a ‘jump start’ guide and there are many more advanced (typically more complex) tools out there, I have referenced a few ‘honorable mentions’ below that will inevitably lead you down the deep, deep rabbit hole that is internet privacy. I truly hope this guide has been useful to you and others in their pursuit of digital self-sovereignty. Onward.

• EFF tools — The Electronic Frontier Foundation is dedicated to “defending digital privacy, free speech, and innovation”. They offer a number of tools to help contribute to this, including HTTPS Everywhere which rewrites your internet traffic to the encrypted form of HTTP, HTTPS.
• Implement VPN at the home router level to encrypt all of your egress web traffic. But be forewarned, this may impact certain consumer applications such as Netflix which can become unusable.
• Leverage secure DNS as a best practice at all times.
• Anonymous digital signatures can be applied to many types of digital signing including, but not limited to, cryptocurrency. For example, certain Threshold Signatures Schemes (TSS) such as Multi-Party Computation (MPC) allow blockchain signatures to remain private.
• Implement TailOS for privacy at the Operating System level
• Veracrypt is open-source software for full disk encryption that can even encrypt on a partition-by-partition basis.
• Eraser Portable can securely delete files and wipe data from your machine.
• OnionShare is an open-source tool that lets you securely and anonymously share a file of any size.

The Capital